-   Linux - Networking (
-   -   Need help verifying iptables rules for network security (

tido 03-10-2011 08:49 AM

Need help verifying iptables rules for network security

I need help with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.


LAN="eth0 eth1"
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Filter traffic #
# Set default policies for all three default chains
iptables -P INPUT DROP
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragment packets
iptables -A INPUT -f -j DROP
# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block spoofing
iptables -A INPUT ! -i lo -s -j DROP
iptables -A OUTPUT ! -o lo -s -j DROP
iptables -A INPUT -i $WAN -s $RANGE -j DROP
iptables -A OUTPUT -o $WAN -s $RANGE -j DROP
# Drop bad packets
iptables -A INPUT -m state --state INVALID -j DROP
# Drop packets routed from outside
iptables -A FORWARD -i $WAN -o $WAN -j DROP
# Routing traffic #
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
# Allow internal traffic
for if in $LAN; do
        iptables -A INPUT -i $if -j ACCEPT
# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.

Thanks for all the help.

agentbuzz 03-10-2011 11:46 AM

You should put in the following rules (assuming you run avahi-daemon to publish and find printers or other resources)


iptables -A INPUT -p udp -s --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -d -j ACCEPT

All times are GMT -5. The time now is 08:17 PM.