On Tue, Aug 16, 2011 at 7:05 PM, Robert Connolly <rob...@linuxfromscratch.org> wrote: > Iptables added, but lacking rules. I would appreciate ideas. > > robert
Below is a rough idea of some of my basic firewall rules (some of which needs review). ### Basic Stuff ## loopback support iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## drop loopback spoof attacks (must follow the above 2 rules) (is this necessary and does it actually work?) iptables -s 127.0.0.1 -j DROP iptables -d 127.0.0.1 -j DROP ## free-reign to already established & related connections iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## prevent an XMAS attack iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP ## prevent NULL attack iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP ## force SYN packets check iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP ## drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP ### if you want to block common ip-spoof attacks, then uncomment the following if the networks are not in use. #iptables -A INPUT -s 0.0.0.0/8 -j DROP #iptables -A INPUT -s 1.0.0.0/8 -j DROP #iptables -A INPUT -s 2.0.0.0/8 -j DROP #iptables -A INPUT -s 5.0.0.0/8 -j DROP #iptables -A INPUT -s 7.0.0.0/8 -j DROP #iptables -A INPUT -s 10.0.0.0/8 -j DROP #iptables -A INPUT -s 23.0.0.0/8 -j DROP #iptables -A INPUT -s 27.0.0.0/8 -j DROP #iptables -A INPUT -s 31.0.0.0/8 -j DROP #iptables -A INPUT -s 36.0.0.0/8 -j DROP #iptables -A INPUT -s 39.0.0.0/8 -j DROP #iptables -A INPUT -s 41.0.0.0/8 -j DROP #iptables -A INPUT -s 42.0.0.0/8 -j DROP #iptables -A INPUT -s 58.0.0.0/8 -j DROP #iptables -A INPUT -s 59.0.0.0/8 -j DROP #iptables -A INPUT -s 60.0.0.0/8 -j DROP #iptables -A INPUT -s 127.0.0.0/8 -j DROP #iptables -A INPUT -s 169.254.0.0/16 -j DROP #iptables -A INPUT -s 172.16.0.0/12 -j DROP #iptables -A INPUT -s 192.168.0.0/16 -j DROP #iptables -A INPUT -s 197.0.0.0/8 -j DROP #iptables -A INPUT -s 224.0.0.0/8 -j DROP #iptables -A INPUT -s 240.0.0.0/8 -j DROP ### The following reviews handles acceptance by port group (comment or uncomment as you see fit) ## allow Well-known port output: 0-1023 #iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j ACCEPT #iptables -A INPUT -p udp --dport 0:1023 -m state --state NEW -j ACCEPT ## allow registered ports: 1024-49151 #iptables -A INPUT -p tcp --dport 1024:49151 -m state --state NEW -j ACCEPT #iptables -A INPUT -p udp --dport 1024:49151 -m state --state NEW -j ACCEPT ## allow all other ports: 49152-61000 ## For ease of the beginners, enable these by default iptables -A INPUT -p tcp --dport 49152:61000 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport 49152:61000 -m state --state NEW -j ACCEPT ## allow all other ports: 61001-65535 ## For ease of the beginners, enable these by default iptables -A INPUT -p tcp --dport 61001:65535 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport 61001:65535 -m state --state NEW -j ACCEPT ## allow Well-known port output: 0-1023 #iptables -A OUTPUT -p tcp --dport 0:1023 -m state --state NEW -j ACCEPT #iptables -A OUTPUT -p udp --dport 0:1023 -m state --state NEW -j ACCEPT ## allow registered ports: 1024-49151 #iptables -A OUTPUT -p tcp --dport 1024:49151 -m state --state NEW -j ACCEPT #iptables -A OUTPUT -p udp --dport 1024:49151 -m state --state NEW -j ACCEPT ## allow all other ports: 49152-61000 # For ease of the uneducated, enable these by default iptables -A OUTPUT -p tcp --dport 49152:61000 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 49152:61000 -m state --state NEW -j ACCEPT ## allow all other ports: 61001-65535 # For ease of the uneducated, enable these by default iptables -A OUTPUT -p tcp --dport 61001:65535 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 61001:65535 -m state --state NEW -j ACCEPT ### Here is a small list of applications that I know about and believe are common enough ## NTP (Network Time Protocol Traffic) #iptables -A OUTPUT -p udp --sport 123 --dport 123 -m state --state NEW -j ACCEPT #iptables -A INPUT -p udp --sport 123 --dport 123 -m state --state NEW -j ACCEPT ## DHCP Client Renewals (Is the OUTBOUND something like: --sport 68 --dport 67?) #iptables -A INPUT -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -m state --state NEW -j ACCEPT ## DHCP Server (why do I have two inputs??) #iptables -A OUTPUT -p udp -m state --state NEW --dport 67 --sport 68 -j ACCEPT #iptables -A INPUT -p udp -m state --state NEW --dport 67 --sport 68 -j ACCEPT #iptables -A INPUT -p udp -m state --state NEW --dport 68 --sport 67 -j ACCEPT ## Http/Web #iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ## Https/SecureWeb #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ## MySQL #iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT ## Postgresql #iptables -A INPUT -p tcp --dport 5432 -m state --state NEW -j ACCEPT ## Cups Printer Administration #iptables -A INPUT -p tcp --dport 631 -m state --state NEW -j ACCEPT ## Ssh (OpenSSH) #iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## Virtual Network Client Server (add 1 to port for each seperat vnc server) #iptables -A INPUT -p tcp --dport 5900 -m state --state NEW -j ACCEPT ## Xorg's Server Port #iptables -A INPUT -p tcp --dport 6000 -j ACCEPT ## Samba/Windows Shared Network Communication (Good luck with figuring out the output) #iptables -A INPUT -p tcp --dport 136 -j ACCEPT #iptables -A INPUT -p udp --dport 137 -j ACCEPT #iptables -A INPUT -p udp --dport 138 -j ACCEPT #iptables -A INPUT -p tcp --dport 139 -j ACCEPT #iptables -A INPUT -p tcp --dport 445 -j ACCEPT #iptables -A INPUT -p tcp --sport 136 -j ACCEPT #iptables -A INPUT -p udp --sport 137 -j ACCEPT #iptables -A INPUT -p udp --sport 138 -j ACCEPT #iptables -A INPUT -p tcp --sport 139 -j ACCEPT #iptables -A INPUT -p tcp --sport 445 -j ACCEPT ## Ping/Pong (With inbound pings limited to 1 per second) #iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT #iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT ## iSCSI Target (I know I haven't really tested this one..) #iptables -A INPUT -p tcp --dport 3260 -m state --state NEW -j ACCEPT ### Suggestion for logging to dmesg or syslog ## log new packets #iptables -A INPUT -m state --state NEW -j LOG --log-prefix "FIREWALL:INPUT " #iptables -A INPUT -m state --state NEW -j LOG --log-prefix "FIREWALL:OUTPUT " -- Kevin Day -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
