Input Filter

Kumado · 03-23-2006, 10:36 AM

hey all,

Except for missing logging, is there any reason to do:

iptables -A INPUT -i $EXT_IFACE -s 127.0.0.0/8 -j LOG --log-prefix "RFC - 127/8"--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IFACE -s 192.168.0.0/16 -j LOG --log-prefix "RFC - 192/20"--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IFACE -s 172.16.0.0/12 -j LOG --log-prefix "RFC - 172/20"--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IFACE -s 10.0.0.0/8 -j LOG --log-prefix "RFC - 10/8"--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $EXT_IFACE -s $LAN_NET -d $ANYWHERE -j LOG --log-prefix "Spoof ! "--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s $LAN_NET -d $ANYWHERE -j DROP
iptables -A INPUT -i $EXT_IFACE -s $DMZ_NET -d $ANYWHERE -j LOG --log-prefix "Spoof ! "--log-tcp-options --log-ip-options
iptables -A INPUT -i $EXT_IFACE -s $DMZ_NET -d $ANYWHERE -j DROP

or just do:

iptables -A INPUT -i $EXT_IFACE -d !EXT_IP -j DROP

Would this not reject all ips except the one ip that I should get, right?
I would just miss specific logging?

thanks

demian · 03-23-2006, 11:12 AM

You're right. The last command drops all packages that all the previous commands combined drop and then some.

The idea is that having a packet come into the external interface with a private source IP or your LAN/DMZ IP is a pretty serious sign of malicious intend since that packet has most likely been tampered with.

Kumado · 03-23-2006, 05:58 PM

hmmmm, ok. That is what I thought. Is that a good idea?

That leaves me to just my ip to deal with. If I disable pint to my EXT, it would be harder to find.

What would be the next best thing to test for?

Should I see if it is related / estasblished or reject other things like DNS or DHCP requests?

Thank you for your reply btw.

Kumado

Kumado · 03-23-2006, 05:58 PM

hmmmm, ok. That is what I thought. Is that a good idea?

That leaves me to just my ip to deal with. If I disable ping to my EXT, it would be harder to find.

What would be the next best thing to test for?

Should I see if it is related / estasblished or reject other things like DNS or DHCP requests?

Thank you for your reply btw.

Kumado