LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-15-2008, 07:31 AM   #1
linuxcbon
Member
 
Registered: May 2006
Posts: 56

Rep: Reputation: 16
iptable rules, your opinions


Hi,

I have these rules for iptables, anything missing or could be improved ?

iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Cheers
 
Old 08-15-2008, 07:54 AM   #2
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684

Rep: Reputation: 54
First you flush, then you delete, then you "zero" all the chains - why?
Flushing should be enough IMO.

You are restricting yourself a lot by only allowing ports 53,80 and 443 outgoing. You can only surf that way. No Mail. No ftp. Nothing else.

OUTPUT can be fully open IMO.

iptables -A OUTPUT -j ACCEPT

I'd put the INPUT -i lo -j ACCEPT first instead of last (I have...).
 
Old 08-15-2008, 08:20 AM   #3
linuxcbon
Member
 
Registered: May 2006
Posts: 56

Original Poster
Rep: Reputation: 16
Flushing is not enough, it doesn't empty the statistics.
I don't do mail or ftp, that's why I restrict (I use webmail).
Not sure if order of INPUT -i lo is important.
Should I restrict more, like to only eth0 and udp and tcp etc ?
 
Old 08-15-2008, 08:30 AM   #4
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684

Rep: Reputation: 54
Is more than this even possibe?
Out goes only what you allow - In goes only what you initiated.
 
Old 08-15-2008, 08:43 AM   #5
linuxcbon
Member
 
Registered: May 2006
Posts: 56

Original Poster
Rep: Reputation: 16
yes more is possible.
 
Old 08-16-2008, 04:35 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You could improve the three web surfing rules by adding matches for packets in state NEW to them. That way, packets in state INVALID don't get sent to ACCEPT (as they do with your current rules). Also, you might wanna think about whether or not you really need that RELATED match in your INPUT chain. If you don't care about the ICMP error codes which need it then you wouldn't miss it at all. I'd also suggest adding IP matches to the DNS rule, to make sure only your preferred DNS servers are used. Just my , can't think of anything else right now.
Code:
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP --dport 53 -d 208.67.222.222 \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p UDP --dport 53 -d 208.67.220.220 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT

Last edited by win32sux; 08-16-2008 at 05:06 PM.
 
Old 08-16-2008, 05:04 PM   #7
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684

Rep: Reputation: 54
actually - it was more of a rhetorical question as the setup was already pretty tight.
The state INVALID thing came to my mind but...
 
Old 08-16-2008, 05:54 PM   #8
linuxcbon
Member
 
Registered: May 2006
Posts: 56

Original Poster
Rep: Reputation: 16
This one works ok, with eth0 specified
Code:
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED  -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp --dport 53 -d FAVORITE-DNS -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple iptable rules lorga Linux - Newbie 3 12-17-2007 12:30 PM
are iptable rules same as firestarter? gimmee Ubuntu 1 06-16-2007 04:30 AM
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 10:00 AM


All times are GMT -5. The time now is 04:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration