LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Need help verifying iptables rules for network security
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-10-2011, 07:49 AM   #1
tido
LQ Newbie
 
Registered: Aug 2010
Posts: 4

Rep: Reputation: 0
Lightbulb Need help verifying iptables rules for network security

Hi,

I need help with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.

Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
 
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
 
##--------------##
# Filter traffic #
##--------------##
 
# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
 
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# Drop fragment packets
iptables -A INPUT -f -j DROP
 
# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# Block spoofing
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT ! -o lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $WAN -s $RANGE -j DROP
iptables -A OUTPUT -o $WAN -s $RANGE -j DROP
 
# Drop bad packets
iptables -A INPUT -m state --state INVALID -j DROP
 
# Drop packets routed from outside
iptables -A FORWARD -i $WAN -o $WAN -j DROP
 
 
##---------------##
# Routing traffic #
##---------------##
 
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
 
# Allow internal traffic
for if in $LAN; do
        iptables -A INPUT -i $if -j ACCEPT
done
 
# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.

Thanks for all the help.
 
Old 03-10-2011, 10:46 AM   #2
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
Hello,
You should put in the following rules (assuming you run avahi-daemon to publish and find printers or other resources)

Code:
iptables -A INPUT -p udp -s 10.1.0.0/17 --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
 
  


Reply

Tags
iptables, network, routing



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
Network Attack seems to ignore my iptables rules grpprod Linux - Security 5 05-04-2007 11:29 PM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:59 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration