LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2005, 02:34 PM   #1
Kumado
Member
 
Registered: Oct 2003
Location: Ohio , USA
Distribution: up to Suse 10.2
Posts: 63

Rep: Reputation: 19
somewhere along the lines .....


I am working on my filter script, totally new at it.

I assumed order was important and you just confirmed it there, it would take the 1st match and drop out of the chain with an ACCEPT REJECT .........

What I am wanting to know, (I have a NAT with a DMZ, so 3 nics .... I have read so many articals that ... )
Should I set my, say input policy to DROP 1st,
check for spoofing DROP, ( outside dhcp requests, time requests, DNS requests, ect ) DROP,
and then start excepting what I want, say SSH to the NAT, est connections, etc?

is that the safe way? does that slow the system down if it has to check all of that for each packet it gets?
If I do not check for those 1st, could some other rule let something in that should not?

Does anyone have a simple list / order of best practice for iptables chains / policies? for a newbie?

Thanks

Mike
 
Old 10-13-2005, 02:58 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
//Moderator note: I'm splitting this thread and making a new one with your post.
 
Old 10-13-2005, 03:10 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The default policy will always be the last rule in the firewall regardless of where you actually put it in your script. As a general rule, you'd want rules to block spoofing and junk packets, but not all packets need to go through those checks (for example it doesn't make sense to have UDP packets checked for bad TCP flags), so a good technique is to create user defined chains where specialized checks like that take place. Then only those packets that need to be checked are passed into that chain. That's a little more advanced though. The total number of rules shouldn't really affect network speed very much unless you have a *huge* number of rules. In most cases, you're looking at an added latency of a few microseconds.

If you're creating your first firewall, then I'd strongly recommend looking over Oskar Andreasson's iptables tutorial:
http://iptables-tutorial.frozentux.n...-tutorial.html
 
Old 10-13-2005, 08:18 PM   #4
Kumado
Member
 
Registered: Oct 2003
Location: Ohio , USA
Distribution: up to Suse 10.2
Posts: 63

Original Poster
Rep: Reputation: 19
Thx again Capt,

I have read alot, that page is extensive. It will take time.

I like the idea of the user defined rules doing seperate tasks. That explains all the variations of scripts that I have seen. Makes it very confusing.

I can read a good bit of the lines now, it is things like the TOS, -m field etc.

I want to, in the future, put together a content filter. Partly for sites that are just a pain to filtering things that students should not be into in a school. I know there are tools out the. I like to do my own. I learn more that way. Plus, like with this, I still need to learn what needs through and what needs blocked. A great deal to find out.

Thanks again

Mike
 
Old 10-13-2005, 11:12 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you are planning on doing content filtering, then you may want to consider setting up a transparent proxy using something like squid. Iptables is a little awkward for doing that and squid with it's acls is really designed exactly with that in mind. Plus there are already a number of places to get reasonably comprehensive blacklists for content filtering with squid. You'd still need to use iptables, but the idea is that iptables redirects outbound http requests to the squid proxy running locally. The traffic is then redirected on the way back, with the client never aware that the traffic was rerouted and filtered.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about a iptables rule? rjw1678 Linux - Security 2 11-18-2005 07:46 AM
help with iptables rule!! vishamr2000 Linux - Security 6 11-09-2005 05:34 AM
IPTables Rule... Grim Reaper Linux - Software 8 04-28-2003 12:20 PM
iptables rule order dunkyb Linux - Security 2 03-21-2003 07:56 AM
IPTABLES rule file (need help) chris200t Linux - Networking 5 11-11-2002 02:33 PM


All times are GMT -5. The time now is 10:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration