I have created a firewall setup for a pc that serves as web and database server on our university network
It is basically a setup with an input deny and output allow policy. No NAT or masquerading is used whatsoever. Kernel is a self-compiled 2.4.16 The firewall functions good for most things: All ports are blocked except ssh, http,ftp and mysql. However, I have some questions: 1. How do I get SMB to work? it does not function with the rules below. I have experimented with the following lines: # iptables -A INPUT -i eth0 -p 137 -j ACCEPT iptables -A INPUT -i eth0 -p 138 -j ACCEPT iptables -A INPUT -i eth0 -p 139 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT # However, they all make no difference whatsoever. 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd. 3. Should I deny UDP packets on interfaces that basically use TCP? 4. Is it wise to check for malformed packets, such as christmas packets and the like?? Thanks for helping me, Kai Klopper #!/bin/sh ##Create chain which blocks new connections, except if coming from inside. #iptables -P FORWARD DROP iptables -F iptables -X block iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. #iptables -A FORWARD -j block iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT # only allow mysql from university ip-addresses iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT iptables -A INPUT -j block
