Here is my iptables rules:


# Generated by iptables-save v1.2.8 on Thu Jun 2 23:32:55 2005
*nat
:PREROUTING ACCEPT [31:3208]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [48:2880]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 2 23:32:55 2005
# Generated by iptables-save v1.2.8 on Thu Jun 2 23:32:55 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [744:319548]
:block - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -j block
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -j block
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -m limit --limit 3/hour -j LOG
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,RELATED,ESTABLISHED -j DROP
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Thu Jun 2 23:32:55 2005

Can I get some feedback on my iptables rules. Does this look like a decent set of rules. Gurus let me have it!

Most of your rules will NEVER be evaluated because they come AFTER a -j block:
and
Also, WHY are you dropping ESTABLISHED,RELATED traffic? Most rulesets have '-m state --state ESTABLISHED,RELATED -j ACCEPT' for stateful filtering.

I wonder why you are limiting matches to 1/sec on a lot of rules. Do consider that those packets will fall down to later rules, and you're likely to end up dropping important packets and giving you a headache later.

Also, the policies for INPUT and especially FORWARD are set to ACCEPT by default. So if a packet is not explicitly denied, it is accepted.

Sorry if this seems harsh, it's just what I saw.

I can you give me decent iptables script that I can follow as a good guidline. thanks

Perhaps this was done offline?
Not very freindly to folk following from a search...

Here's my favorite "Mad Dog" firewall.
'tis a basic, restrictive, firewall for a home system.

All security should start with some sort of policy statement.

Security Policy:
1. Nothing gets in or out without permission.
2. Permission must be explicitly set
3. Internal systems are unlimited
4. Nothing gets in without my asking for it
5. Everything gets out.

Basic Rules:
This makes things tricky but not impossible.
If you have a network, you'll need to make a hole for that too.

I am in the process of redoing the whole things. My current script in a true joke. I have been given no respect up until this point but that will change after I display my total overhaul of my new IPTABLES script. Give me a few and I will displaying it for criticism or for koodos. thanks

metallica1973: interesting - IMO you have been given nothing but respect. All criticism was phrased with the assumption you had valid reasons for wht you did - and you did invite criticism. Mind you, Matir did shout a bit ... but I don't think he meant to

I really did not mean to shout in any way. I'm sorry if it came across that way. I (unfortunately) sometimes use LQ as a place to wind down after work, and sometimes the line gets blurred. Sorry if you were offended, I truly did not mean it.

No trouble Matir: just in case someone searching into this forum dosn't know what I was talking about... I was refferring to the following line:... when words are capitalised like that (unless they must be like that - like with the iptables "policy" statements) it looks like shouting.

If you intend boldface or emphasised you can use vb codes like this or this. For example, Matir's statement is best with italics for emphasis like this: I point out that Matir very clearly did not intend to shout - this was clear because of the calm-measured tones of the rest of the post.

Yeah, I should've used italics. Bad habits from IRC where color/bold/underline is generally discouraged.

... anyway, in IRC you gotta get in there fast

Back on topic -
Perhaps you could cast your eye over the mdh firewall and suggest modifications?
I'd especially like to know why it blocks internet in FC2 (not tried with FC4) but works like a charm in RH9.

Gentlemen I truly apprieciate all of your help especially MATIR and SIMON BRIDGE. My last post was not in disappointment, I was just simply saying that in order to get respect to must earn it and I was refering to my linux skills using IPTABLES. I am from the barrio and that is just a term of speech. LOL Everylast one of you that has responded to any of my post kicks but. I want to one day become a senior member and help out newbies like me. I classify myself as a newbie maybe an idiot but not a newbie LOL. thanks

P.S

iptables rules can be a bit challenging!

Sometimes even I have to stop and think about the ordering and arrangement of iptables rules.

Don't fret. And you have gained my respect by showing yourself as someone who is willing to work and learn for answers, rather than expecting us to feed you the exact commands for your goal. I do hope you will answer the questions of those who are new to linux as you become more experienced with it yourself.

These are to refuse directed broadcasts

iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP

iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP

and this for spoofing

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD

my questions is on the variable $EXTERNAL_NETWORK. What does that mean. Do they mean the nic card that goes out to the internet?

and the variable $EXTERNAL_IP what does that mean. Does it also mean the nic that goes to the internet. Are they the same. I need a little clarification.

also

# Refuse malformed broadcast packets.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD

Does the variable $BROADCAST_DEST mean your lan broadcast address like 192.168.2.255

Does the variable $BROADCAST_SRC mean broadcast address like 255.255.225.255

Please translate!

Well, those rules seem to assume a static IP address. For example, if your ip was 99.99.99.99, then your external network might be 99.99.99.0/255.255.255.0. It's the IP/network/broadcast related to the interface that goes out towards the internet.

Then how would you explain a dynamic address and opposed to a static address? and could I translate that $EXTERNAL_NETWORK or $EXTERNAL_IP and would it mean the same thing. The reason I ask this is because at home I use PPPOE from my ISP and it dynamically assigns my DSL modem an IP address. So to add that statement to my firewall would it work if I would to translate the $EXTERNAL_NETWORK or $EXTERNAL_IP with lets say ppp0 as my external_ network or external_ip? help. I am slowly working on my firewall. thanks