-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Adam Bogacki wrote: | Hi, | | I'd appreciate a second opinion why this script is blocking eth0, | confirming or disconfirming the line I've indicated. | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | re two interfaces in this server: | #eth0 - <internet-address> | #eth1 - <lan-address> | | ### Create Chains | iptables -N IN_LO | iptables -N OUT_LO | iptables -N IN_ETH0 | iptables -N OUT_ETH0 | iptables -N IN_ETH1 | iptables -N OUT_ETH1 | iptables -N BLOCKED_PACKETS | iptables -N ICMP_PACKETS | | ### POLICIES | iptables -P INPUT DROP | iptables -P FORWARD DROP | iptables -P OUTPUT DROP | | ### INPUT | iptables -A INPUT -j BLOCKED_PACKETS | iptables -A INPUT -p icmp -j ICMP_PACKETS | iptables -A INPUT -i lo -j IN_LO | iptables -A INPUT -i eth0 -j IN_ETH0 | iptables -A INPUT -i eth1 -j IN_ETH1 | | ### FORWARD | iptables -A FORWARD -j BLOCKED_PACKETS | iptables -A FORWARD -p icmp -j ICMP_PACKETS | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | | ### OUTPUT | iptables -A OUTPUT -j BLOCKED_PACKETS | iptables -A OUTPUT -p icmp -j ICMP_PACKETS | iptables -A OUTPUT -o lo -j OUT_LO | iptables -A OUTPUT -o eth0 -j OUT_ETH0 | iptables -A OUTPUT -o eth1 -j OUT_ETH1 | | ### BLOCKING_PACKETS | iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP | iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ | SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset | iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ | -j DROP | iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP | # should this be on both interfaces? | #iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \ | #--dport 135:139 -j DROP | | s the following line why eth0 is blocked on my system ? | iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \ | --dport 67:68 -j DROP | | ### ICMP_PACKETS | # are all of these really needed? Which ones should I not accept? | iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT | iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT | iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT | iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT | iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT | iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT | ### IN_LO (localhost) | # are these really needed? Why? | iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT | #iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT | #iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT | | ### IN_ETH0 (Internet) | #iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \ | #--state RELATED,ESTABLISHED -j ACCEPT | | ### IN_ETH1 (LAN) | #iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \ | #--state RELATED,ESTABLISHED -j ACCEPT | | ### OUT_LO (Localhost) | # are these really needed? Why? | iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT | #iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT | #iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT | | ### OUT_ETH0 (Internet) | #iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \ | #--state RELATED,ESTABLISHED -j ACCEPT | | ### OUT_ETH1 (LAN) | #iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \ | #--state RELATED,ESTABLISHED -j ACCEPT | | #save this setup for next use | | iptables-save | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
What do you mean by "blocking eth0"? You will have to be more specific if you want some specific feedback.
A few comments:
1) The line you've indicated as being a potential problem seems to be intended to block ~ some dhcp/bootp messages.
2) FORWARD: It looks to me like you're not going to be able to forward any packets, ~ because my reading of this says the FORWARD path will drop everything in state NEW, ~ except for the ICMP packets you've allowed.
3) INPUT/OUTPUT: All the rules which would allow established connections to proceed are ~ commented out. No packets in state NEW will be accepted because there are no rules to ~ allow them. So no-one should be able to connect to you, and you should not be able to ~ establish any outbound connections. Except for those ICMP messages again.
4) I think the 2 lines after INVALID are superfluous, but that's a matter of taste.
5) Yes, you probably do want to let all those ICMP types through. (Google will help you ~ out with this if you need more info).
Cheers,
~ Blair.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3dVgvJfDavdnqDgRAudxAJ9MengFO1123bjyy2IP8eZ40ZOuSACfdhXc sP6dnA3a/FQbZy/2J1Y+g0Q= =IyxF -----END PGP SIGNATURE-----
