Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
08-15-2008, 07:31 AM
|
#1
|
|
Member
Registered: May 2006
Posts: 56
Rep: 
|
iptable rules, your opinions
Hi,
I have these rules for iptables, anything missing or could be improved ?
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Cheers
|
|
|
|
|
08-15-2008, 07:54 AM
|
#2
|
|
Senior Member
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684
Rep:
|
First you flush, then you delete, then you "zero" all the chains - why?
Flushing should be enough IMO.
You are restricting yourself a lot by only allowing ports 53,80 and 443 outgoing. You can only surf that way. No Mail. No ftp. Nothing else.
OUTPUT can be fully open IMO.
iptables -A OUTPUT -j ACCEPT
I'd put the INPUT -i lo -j ACCEPT first instead of last (I have...).
|
|
|
|
|
08-15-2008, 08:20 AM
|
#3
|
|
Member
Registered: May 2006
Posts: 56
Original Poster
Rep:
|
Flushing is not enough, it doesn't empty the statistics.
I don't do mail or ftp, that's why I restrict (I use webmail).
Not sure if order of INPUT -i lo is important.
Should I restrict more, like to only eth0 and udp and tcp etc ?
|
|
|
|
|
08-15-2008, 08:30 AM
|
#4
|
|
Senior Member
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684
Rep:
|
Is more than this even possibe?
Out goes only what you allow - In goes only what you initiated.
|
|
|
|
|
08-15-2008, 08:43 AM
|
#5
|
|
Member
Registered: May 2006
Posts: 56
Original Poster
Rep:
|
yes more is possible.
|
|
|
|
|
08-16-2008, 04:35 PM
|
#6
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
You could improve the three web surfing rules by adding matches for packets in state NEW to them. That way, packets in state INVALID don't get sent to ACCEPT (as they do with your current rules). Also, you might wanna think about whether or not you really need that RELATED match in your INPUT chain. If you don't care about the ICMP error codes which need it then you wouldn't miss it at all. I'd also suggest adding IP matches to the DNS rule, to make sure only your preferred DNS servers are used. Just my  , can't think of anything else right now.
Code:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p UDP --dport 53 -d 208.67.222.222 \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p UDP --dport 53 -d 208.67.220.220 \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
Last edited by win32sux; 08-16-2008 at 05:06 PM.
|
|
|
|
|
08-16-2008, 05:04 PM
|
#7
|
|
Senior Member
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684
Rep:
|
actually - it was more of a rhetorical question as the setup was already pretty tight.
The state INVALID thing came to my mind but...
|
|
|
|
|
08-16-2008, 05:54 PM
|
#8
|
|
Member
Registered: May 2006
Posts: 56
Original Poster
Rep:
|
This one works ok, with eth0 specified
Code:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -d FAVORITE-DNS -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 02:46 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
