On Fri, 2002-09-20 at 09:20, Corey Mutter wrote: > Yes, good catch. I have other redundancies that may make even less > sense, in the parts I cut out. What's probably best is to leave any > interface checking out of "nonew", and conditionally jump to that > chain with an interface check, like: > > iptables -A INPUT -i eth0 -j nonew
Yeah, that would make sense. That way you could reuse nonew on other interfaces if they were added. > Yes. You also need to put any of those services before > connection-state tracking or the "accept" rules won't get reached. Ah, good point! > You shouldn't need the modules. The FTP/IRC conntrack modules are > there to handle the client side. From a non-passive FTP client, when a > file is about to be transferred, the FTP server opens a data > connection (separate from the control connection on port 21) back to > you. If the client's connection-state-tracking firewall is unaware of > FTP, it will classify the connection as NEW instead of RELATED (and > get dropped). This module lets the connection-tracking tell (from the > presence/data in? the control connection) that the connection back is > related to the FTP session. Ah. So, if we want to be able to ftp *from* one of the machines, then we would need the ftp conntrack module, but not for normal server setup. > I don't know what IRC does to make connection-state tracking difficult > (by the way, these are all the same things that makes NAT difficult), > but it's probably something like FTP. I think it's something to do with DCC, but I don't have personal knowledge of it. So, how is this as a possible iptables setup? (Note it's just your script with some modifications). ################################################################### # Proposed TriLUG iptables setup ################################################################### ################################################################### # Enable address spoofing protection, disable receiving source-routed # packets and ICMP Redirects ################################################################### echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ################################################################### # Flush all chains; delete all user-defined chains ################################################################### iptables -F iptables -X ################################################################### # Paranoid default: drop on all chains ################################################################### iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP ################################################################### # Chain for allowing no new inbound connections (stateful firewall) ################################################################### iptables -N nonew # If already part of an existing connection, okay iptables -A nonew -m state --state ESTABLISHED,RELATED -j RETURN # Anything else is a probe attempt, log # Reject with "port unreachable", just like nobody was listening # or RST for TCP connections, or drop for ICMP packets iptables -A nonew -p tcp -j REJECT --reject-with tcp-reset # [Will this cause pings not to work? If so, will removing this # rule bring that capability back?] iptables -A nonew -p icmp -j DROP iptables -A nonew -j REJECT ################################################################### # Anything on loopback OK ################################################################### iptables -A INPUT -i lo+ -j ACCEPT iptables -A OUTPUT -o lo+ -j ACCEPT ################################################################### # Anything on eth1 OK ################################################################### iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -s 192.168.77.0/24 -d 192.168.77.0/24 -j \ ACCEPT ################################################################### # Input chain (packets to the local box come here) ################################################################### # [One for each allowed server, as many as you like] iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT # No new connections from Internet iptables -A INPUT -j nonew # It passed the tests iptables -A INPUT -j ACCEPT ################################################################### # Output chain (packets from the local box come here) ################################################################### # [If you don't put output checking in, change default policy to ACCEPT] # Non-localnet on eth0 okay iptables -A OUTPUT -o eth0 -s ! 192.168.77.0/24 -d ! 192.168.77.0/24 -j\ ACCEPT # Anything else bad, log and drop iptables -A OUTPUT -m limit --limit 3 -j LOG --log-level crit \ --log-prefix "Bad output addr! " iptables -A OUTPUT -j DROP --------------------------------------------------------------------------- If we were to change the OUTPUT policy to ACCEPT, would we just delete the last section and change the line near the top that currently says: "iptables -P OUTPUT DROP" to instead say "iptables -P OUTPUT ACCEPT"? Thanks much, Tanner -- Tanner Lovelace | [EMAIL PROTECTED] | http://wtl.wayfarer.org/ --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4 GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- Si hoc legere scis, nimium eruditionis habes. _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
