firewall configuration

Stelios Bounanos sb at dial.pipex.com
Sat Mar 27 16:50:24 EET 2004 

 >>>>> On Sat, 27 Mar 2004 12:46:03 +0200, Leonidas Tsabos
 >>>>> <ltsampros at upnet.gr> was rumoured to have said:

 > To firewall etsi opos to exo stisei afti tin stigmi einai kapos etsi:
 > !/bin/bash
 > iptables --flush
 > iptables -X
 > iptables -F
 > iptables -Z
 > iptables --policy INPUT  DROP
 > iptables --policy OUTPUT DROP  #default,kopsimo
 > iptables --policy FORWARD DROP #default,kopsimo

 > #To lo ta dexete ola.
 > iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

 > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
 > iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED 
 > -j ACCEPT
 > iptables -A INPUT -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED 
 > -j ACCEPT

H diafora apo ta parakatw

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

einai oti filtrareis ta tcp paketa se INVALID state poy phgainoyn se port 80 'h 22.
To RFC 793 (section 3.4) leei to ekshs:

"As a general rule, reset (RST) must be sent whenever a segment
arrives which apparently is not intended for the current connection."

Ayto 8a to kanei apo monos toy o kernel.

 > iptables -A INPUT -p icmp -j REJECT --reject-with icmp-host-unreachable

Tsk tsk, ahdies... Afenos, to icmp einai control protocol kai xreiazetai.
Afeteroy, toys typoys icmp paketwn poy *ksereis* oti de 8eleis kane toys
*DROP*! Ti nohma exei na apanthseis p.x. se echo-request me host-unreachable?

 > #Ta parapano einai gia na dexome ego connections poy exo anoiksei. 
 > #RELATED,ESTABLISHED nomizo oti einai peritta kai stoys dyo kanones -p tcp 
 > #--dport 80 kai --dport 22 dioti perilambanei aftin tin periptosi o 2 
 > #kanonas.

 > iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

-o lo arkei, den yparxei logos na kanei match ta src/dst fields.

 > iptables -A OUTPUT -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j 
 > ACCEPT #SSH
 > iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j 
 > ACCEPT
 > iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
 > iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP3
 > iptables -A OUTPUT -p tcp --dport 25  -j ACCEPT #SMTP
 > iptables -A OUTPUT -p udp --dport 53  -j ACCEPT #dns
 > iptables -A OUTPUT -p icmp -j ACCEPT

Ta --state ... den einai aparaithta. Epishs, eisai apolyta sigoyros oti
xreiazesai egress filtering?

 > #LOGGING
 > iptables -A INPUT -p tcp -j LOG --log-prefix "filter:incoming tcp dropped:"
 > iptables -A OUTPUT -p tcp -j LOG --log-prefix "filter:outcoming tcp dropped:"
 > iptables -A INPUT -j LOG --log-prefix "filter:incoming dropped:"
 > iptables -A OUTPUT -j LOG --log-prefix "filter:outcoming dropped:"
 > #entaksei edo pera isos kapoia stigmh na exei --log-level  kai me vohtheia apo 
 > #to syslog.conf na grafo ekei poy thelo to log moy.

Mallon 8eleis kai -m limit gia ne mh gemizoyn oi diskoi se periptwsh port
scans klp.


Rgds,
/-sb.

More information about the Linux-greek-users mailing list