Hi
I run Debian Sid and have recently thought to tighten security on my
single dialup box. I went through commenting out various unneeded
services in inetd and compiled a 2.4.3 kernel with all the netfilter
stuff as modules.
I put 'Rusty's Really Quick Guide To Packet Filtering' of his Linux
2.4 Packet Filtering HOWTO into a script and added some logging stuff
just to see in syslog that packets are coming through. When I'm
satisfied that the script works OK I'll remove all logging rules but
the 'packets dropped' one.
My question is this. Do all of the packets go onto the next rule after
the first LOG rule? That would make sense but the HOWTO was for me a
bit ambiguous. ie. It says basically that each rule specifies a set
of conditions and what to do if a packet meets them. So, if the
packet meets the conditions for the DROP rule; then the packet is
dropped. It doesn't go onto the next rule. But in this case,
logging, it really only makes sense if the packet does go onto the
next rule.
So, can anyone confirm this?
I thought I would put the script in the /etc/ppp/ip-up.d directory so
that when I dialed into my ISP (via pon) the packet filtering would
start.
I also created a script, packet-filter-down, to basically flush the
chains and remove the modules when I 'poff'; this script will go in
/etc/ppp/ip-down.d.
Are there any better ways? Anything wrong with the above?
Here are the scripts:
packet-filter
------------------------------------------------------------------------
#!/bin/sh
# Insert connection-tracking modules (not needed if built into kernel).
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
# Create chain which blocks new connections, except if coming from inside.
/sbin/iptables -N block
/sbin/iptables -A block -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "$0: "
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "$0: check "
/sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
#/sbin/iptables -A block -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "packet DROPped: "
/sbin/iptables -A block -j DROP
# Jump to that chain from INPUT and FORWARD chains.
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
exit
------------------------------------------------------------------------
packet-filter-down
------------------------------------------------------------------------
#!/bin/sh
# Flush the chains; remove the block chain.
/sbin/iptables -F block
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -X block
# Remove the iptable modules.
# This removes modules beginning with ip; that could
# be dangerous. Perhaps I should explicitly list them?
for mod in $(/sbin/lsmod | awk -- '/^ip*/ {print $1}'); do
/sbin/rmmod $mod;
done
exit
------------------------------------------------------------------------
Jonathan
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
