Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Fri, 2016-07-01 at 07:16 +0100, Ned Slider wrote: > -A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT If one requires all protocols, surely '-p all' is not required because it is the default ? -- Regards, Paul. England, EU. England's place is in the European Union.

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Fri, Jul 1, 2016 at 2:16 AM, Ned Slider wrote: > > Try running: > > iptables -nv -L Yes! Much sunlight awakening crusty synapses here. :-) > > The first thing I would do is move your ESTABLISHED,RELATED rule to the top > of the chain. Once you've accepted the first

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 23:19, Mike wrote: Ned, Thank you very much for the response. Great example following through on the premise. It sounds like I need to have a better understanding of the traffic patterns on my network to know the optimal order for iptables filtering rules. Try running:

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Ned, Thank you very much for the response. Great example following through on the premise. It sounds like I need to have a better understanding of the traffic patterns on my network to know the optimal order for iptables filtering rules. My brief example - Premise: I want to limit outsiders

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 18:49, Mike wrote: On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer wrote: By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer wrote: > > By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're > applying additional processing (CPU time) to the vast majority of your > packets for no reason. The "E,R" rule should be first. It

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 05:19 PM, Always Learning wrote: Later he adds to that empty iptables configuration. Long-winded, but nothing wrong. Saving doesn't "add" to the empty configuration, it replaced the empty config. I didn't say it was wrong, I said the saved rules are thrown away. The initial

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 02:37, Leon Vergottini wrote: Thank you once again to all. I have learned a lot from you replies. And I from you. The funny thing is that I have my rule set with exactly the same default DROP policy for all chains and several DROP rules at the beginning of my script. I must

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, 2016-06-29 at 10:49 -0700, Gordon Messmer wrote: > On 06/29/2016 03:00 AM, Leon Vergottini wrote: > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > Why would you save the existing rule set? This script throws it away > later, when it runs

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 12:51 PM, Dennis Jacobfeuerborn wrote: On 29.06.2016 12:00, Leon Vergottini wrote: # -- # SAVE & APPLY # -- service iptables save service iptables restart You shouldn't

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 29.06.2016 12:00, Leon Vergottini wrote: > Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > >1. Default policy is to block all traffic >2. Allow web traffic and

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 03:00 AM, Leon Vergottini wrote: #!/bin/bash # RESET CURRENT RULE BASE iptables -F service iptables save Why would you save the existing rule set? This script throws it away later, when it runs save again. # MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Dear Members Thank you for your replies. @Anthony K. -- One of the articles that I have read mentioned that the file gets read from the top to bottom and apply the rules accordingly. In addition the article also explained that if there is no matching rule, the default policy will be applied.

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Hello Leon. In addition to everything else mentioned in this thread, I'd recommend you a great book on the topic. "Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash" It contains a really nice and detailed guide on iptables and most common attacks, nmap, psad and

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, 29 Jun 2016, Leon Vergottini wrote: I am busy teaching myself iptables [] How secure is this setup? Is there any mistakes or things that I need to look out for? It's only as secure as your web stack (and, in your case, SSH configuration). Packet filtering is a necessary

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 29/06/16 20:00, Leon Vergottini wrote: # DEFAULT FIREWALL POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # -- # INPUT CHAIN RULES # -- # MOST COMMON

[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Dear Members I hope you are all doing well. I am busy teaching myself iptables and was wondering if I may get some advise. The scenario is the following: 1. Default policy is to block all traffic 2. Allow web traffic and SSH 3. Allow other applications I have come up with the