Help with IPtable Rules
 

Howzit

I´m trying to setup a FW with iptables I understand the rules and how in setting up the rules. This is the problem that I have let me break it down. Have a box that is a FW/Gateway with 2 NICs 1= private network (192.168.0.0) 2= public Network (fix IP). Network has 2 box s 1*W2K 1*RH

My gateway has an IP of 192.168.0.1
My W2K has IP of 192.168.0.2
My RH has IP of 192.168.0.3.

This is my iptables rules forget about my service it´s just a test for now is it safe enough and r my other machines protected?

# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*nat
:PREROUTING ACCEPT [13137:752677]
:POSTROUTING ACCEPT [12:1192]
:OUTPUT ACCEPT [34:2637]
[32:1925] -A POSTROUTING -j SNAT --to-source (fixed ip)
[0:0] -A POSTROUTING -o eth1 -j SNAT --to-source (fixed ip)
COMMIT
# Completed on Tue Dec 9 15:27:02 2003
# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*filter
:INPUT DROP [377:61312]
:FORWARD ACCEPT [102:10179]
:OUTPUT ACCEPT [3368:381403]
[26:2300] -A INPUT -i lo -j ACCEPT
[[3146:246200] -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
[484:92062] -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Dec 9 15:27:02 2003

Thanking everyone for their input

chow

Hi,
first of all
I can't understand what you mean in the line above (probably I'm just going stupid).

Well, first of all...
this rule is not safe at all. If you want to avoid people from the outside to open a connection you should not trust ip addresses at all. To this rule, add the interface.
Example:
if eth0 is your NIC for the private network...
This is safe enough.
Then you have to add (if you wish to) the rules reguarding what you can catch from the web.
If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.

howzit

thanks for a quick response but can u explain this a little futher:

chow

Well, everything depends on what you need. Let's assume the gaway give access to the internet to the LAN.
eth0 is linked to the lan and eth1 in linked to the internet.
so let's turn FORWARD policy to DROP.
Now, let's decide which services the clients need.
Now, here's the problem. The answer will be dropped. So, avoiding everything to be forwarded, you can use this rule.
Quick explaination :
ESTABLISHED means if you started the connection you'll get the answer.
RELATED if a connection needs other ports, these are RELATED; example: passive ftp.
You should then do the same with the OUTPUT.

Using these rules you can avoid traffic generated by applications you don't know (windows spyware, many worms etc).
Adding some LOG rules checking most vulnerable ports you can also detect the presence of possible worms in your lan.
Another interesting thing is, using this technique you can reduce the risks of buggy programs in the clients.
If you need more, let us know