LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-12-2011, 02:01 AM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 299

Rep: Reputation: Disabled
Requesting some community review of my iptables.rules


Hows it going?

I'm just looking any sort of tips, tricks or hints as to how I can or should improve my iptables rules. My server box is Arch Linux, fully up to date with a 3.0 kernel and iptables v1.4.12. The machine has 2 network adapters and acts as a NAT router for my home network. eth0 is DHCP'd from my cable modem, eth1 is a static IP of 172.16.0.1/255.255.0.0 connected to my internal LAN. In addition to IPtables, the server also runs BIND for local/forwarding/caching DNS, ISC DHCPd for DHCP server service inside the LAN, plus an SSH server for admin connection on eth1 and an NTP client to synchronize time with the US ntp.org pool, and finally Samba on the internal network for some basic file serving purposes.

I've often questioned the safety of running all of these services on the same machine, but don't exactly have an extra computer lying around with which to put into use to split up all of these things. I haven't noticed anything unusual on the server or any of the other systems on the LAN, and everything functions as I need it, so no "problems" in that sense. I'm just proposing my iptables config just so people here can review it and possibly give me anything noteworthy that they see with it. I've done numerous tests at Steve Gibson's ShieldsUp over at GRC.com, and have a ompletely stealthed setup according to that site, but I'd like some further peer review.

The iptables is configured to drop all unsolicited incoming traffic on the public internet (eth0) while allowing all traffic inside the LAN on eth1 to come through, plus some basic listen/establish openings as well as 3 ports for BitTorrent access to 3 different machines inside.

Any improvements anyone sees that I should make would be most welcome. Thanks!

Code:
# Generated by iptables-save v1.4.8 on Fri Jul 29 01:01:30 2011
*nat
:PREROUTING ACCEPT [3:310]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12345 -j DNAT --to-destination 172.16.0.10
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12346 -j DNAT --to-destination 172.16.0.11
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12347 -j DNAT --to-destination 172.16.0.12
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12348 -j DNAT --to-destination 172.16.0.13
-A POSTROUTING -s 172.16.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 29 01:01:30 2011
# Generated by iptables-save v1.4.8 on Fri Jul 29 01:01:30 2011
*filter
:INPUT DROP [3:310]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [15:1460]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A fw-interfaces -i eth1 -j ACCEPT
-A fw-open -d 172.16.0.10/32 -p tcp -m tcp --dport 12345 -j ACCEPT
-A fw-open -d 172.16.0.11/32 -p tcp -m tcp --dport 12346 -j ACCEPT
-A fw-open -d 172.16.0.12/32 -p tcp -m tcp --dport 12347 -j ACCEPT
-A fw-open -d 172.16.0.13/32 -p tcp -m tcp --dport 12348 -j ACCEPT
COMMIT
# Completed on Fri Jul 29 01:01:30 2011

Last edited by psycroptic; 08-26-2011 at 12:50 PM. Reason: updated default forward policy
 
Old 08-12-2011, 06:41 AM   #2
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 45
The policy on your FORWARD queue is set to ACCEPT.
The rest of your rules would make more sense if it were set to DROP.
 
Old 08-12-2011, 11:19 AM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 299

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by janhe View Post
The policy on your FORWARD queue is set to ACCEPT.
The rest of your rules would make more sense if it were set to DROP.
I wouldn't think this would matter, seeing as my INPUT chain is set to drop, and AFAIK all traffic that passes the FORWARD chain must go through the INPUT chain first?
 
Old 08-12-2011, 11:26 AM   #4
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 45
Quote:
Originally Posted by psycroptic View Post
I wouldn't think this would matter, seeing as my INPUT chain is set to drop, and AFAIK all traffic that passes the FORWARD chain must go through the INPUT chain first?
Nope, see http://www.netfilter.org/documentati...g-HOWTO-6.html (written by the guy who wrote iptables).

The rules in your INPUT chain do not affect the rules in your OUTPUT chain nor your FORWARD chain.
(repeat with INPUT, OUTPUT and FORWARD swapped around)
 
Old 08-12-2011, 11:42 AM   #5
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 299

Original Poster
Rep: Reputation: Disabled
Ah, I see. Thanks, i've changed that to DROP.
 
Old 08-26-2011, 05:40 AM   #6
leo27
LQ Newbie
 
Registered: Apr 2011
Posts: 7

Rep: Reputation: 0
hello there,

i'm in the stage of learning iptables and i need more real world samples to assist me in my learning process. the case mentioned above is what i wanted to do with my linux server but i don't seem to understand the code generated by iptables-save. can i request for this code encoded in iptables syntax? is it ok for you to post here the complete code? i know this would really help me. thanks a lot.
 
Old 08-26-2011, 12:49 PM   #7
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 299

Original Poster
Rep: Reputation: Disabled
Well, the code there is just the contets of my iptables.rules file, it's not really "executable" code. On my system (Arch linux) it's located in /etc/iptables/iptables.rules. As far as I know, any iptables should be able to read this file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
Internet filter rules under review in Australia Jeebizz Linux - News 0 07-09-2010 01:04 PM
LXer: Review: Eee Laptop PC Shreds the Rules LXer Syndicated Linux News 0 01-11-2008 01:30 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM


All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration