First crack at IPTABLES firewall
Morning everyone. (Morning here at least. )
Well, as I dive more into IPTABLES, I am finding out just how much you can do with IPTABLES. Very cool stuff. Something I want to very much learn more of.
Anyways, I have been reading a lot of examples and how-to's on building a firewall. I know I have a ton to learn, but I wanted to get some advice on the steps to my first firewall.
Basically, this is what I am trying to do.
I will have a RH 7.3 Firewall running IPTABLES. I have 3 machines behind my Firewall; 1 Win2K Box and 2 Linux boxes. There shall be no remote connections to my firewall or any of the boxes on the internal LAN at this point. I want my internal machines to be able to access the internet and use services like web, ftp, ssh, pop, smtp, https etc.
In a nutshell, deny everything coming in, but allow the internal LAN access to the outside world and keep the connections so they can return.
Weew...here is what I have so farIm not sure on order, so I am just putting it in any order)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT --protocol tcp --syn -j drop
#LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Syn flood protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#Make sure new TCP connections are syn packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
#SPOOFING
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16/ -j DROP
These are just some of the rules I have been playing with. I realize that I may be totally off, or some what on course.
I have been using many examples to try and learn IPTables. However, I figured I learn best by reading examples and figuring them out.
If anyone has a short IPTables firewall script that will do what I am trying to do, I would love to read it and decipher it.
In the meantime, any thoughts or input?
Thanks everyone.
Tarballed
|