On Wed, May 02, 2007 at 10:43:44AM +0200, Benno Schulenberg wrote
> [EMAIL PROTECTED] wrote:
> > The final remaining problem is with the 3 statements scattered
> > through the rules...
> >
> > -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
> > -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
> > -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED
>
> The "-m tcp" is a typo, yes?
That's the way I had it. It doesn't hurt, but it comes from the
"Department of Superfluous Redundancy Department". This rule is part of
the chain that handles only TCP packets, so there's no point in checking
again whether it's a TCP packet. I've gotten rid of it now. Thanks for
pointing it out.
> The setting you might me missing is CONFIG_NF_CONNTRACK_IPV4=y.
You were right again. I did have CONFIG_NF_CONNTRACK, which
apparently isn't enough. It said something about being required for
NATing, which my machine doesn't do. So I thought it was unnecessary.
The rules work fine now, thanks to your help. Here's
/var/lib/iptables/rules-save in its full glory. A few notes...
- I have a 5-port switch behind an ADSL router/modem.
- I've set my little LAN to 192.168.123.248/29
- for some obscure reason, the ADSL router/modem needs to use
address 192.168.200.1
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-F
-X
-N DROP_LOG
-N ICMP_IN
-N PRIVATE
-N PRIVATE_LOG
-N TCP_IN
-N UDP_IN
-N UNSOLICITED
-A INPUT -s 192.168.123.248/255.255.255.248 -i eth0 -j ACCEPT
-A INPUT -s 192.168.200.1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -f -j LOG --log-prefix "FRAGMENTS:" --log-level 6
-A INPUT -f -j DROP
-A INPUT -p tcp -j TCP_IN
-A INPUT -p udp -j UDP_IN
-A INPUT -p icmp -j ICMP_IN
-A INPUT -j LOG --log-prefix "BAD_PROTOCOL:" --log-level 6
-A INPUT -j DROP
-A OUTPUT -d 192.168.123.248/255.255.255.248 -o eth0 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG
-A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG
-A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG
-A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG
-A OUTPUT -j ACCEPT
-A DROP_LOG -j LOG --log-level 6
-A DROP_LOG -j DROP
-A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
-A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE
-A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE
-A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE
-A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE
-A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE
-A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6
-A ICMP_IN -j DROP
-A PRIVATE -s 10.0.0.0/255.0.0.0 -j PRIVATE_LOG
-A PRIVATE -s 127.0.0.0/255.0.0.0 -j PRIVATE_LOG
-A PRIVATE -s 169.254.0.0/255.255.0.0 -j PRIVATE_LOG
-A PRIVATE -s 172.16.0.0/255.240.0.0 -j PRIVATE_LOG
-A PRIVATE -s 192.168.0.0/255.255.0.0 -j PRIVATE_LOG
-A PRIVATE -j ACCEPT
-A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6
-A PRIVATE_LOG -j DROP
-A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG
-A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG
-A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE
-A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE
-A TCP_IN -p tcp -m state --state NEW -j UNSOLICITED
-A TCP_IN -p tcp -j PRIVATE
-A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG
-A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG
-A UDP_IN -p udp -m udp --sport 53 -j PRIVATE
-A UDP_IN -p udp -m udp --sport 80 -j PRIVATE
-A UDP_IN -p udp -m state --state NEW -j UNSOLICITED
-A UDP_IN -p udp -j PRIVATE
-A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6
-A UNSOLICITED -j DROP
COMMIT
--
Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.
--
[EMAIL PROTECTED] mailing list
