iptables script
Hey all,
I have been working on a small script that flushes iptables and replaces it with a brand new rule set, what I want to check is that all the rules I am setting are actually secure. Code:
# flush tables and create new chain for traffic filtering Thanks in Advance, R3sistance. |
I always thought that the first rule is to drop everything, then open the ports you require.
Otherwise, your rules aren't really doing anything as all ports are open by default. e.g. http://www.debiantutorials.net/loadi...es-on-startup/ iptables -P INPUT DROP iptables -P FORWARD DROP Make sure you do specify some open ports later in the tables though, or you will be locked out ! regards Alan |
Thanks for the advice :),
iptables -A allowed_traffic -p all -j REJECT will reject anything that does have an associated rule and is similar to the default way RHEL/CentOS handle iptables. |
I see what you're saying, but that is at the end of your rule set. It should be at the beginning. You should go from most restrictive > least restrictive in the order they are applied.
regards Alan |
Hi, The Policy is the last thing that is checked when a packet does not match anything, it would come later then a rule that blocks all left over traffic, even if it is applied priorly to the rules. As far as I am aware there is no way anybody can create a type of packet that isn't already dealt with.
|
Quote:
In that sense, given that all of the explicit rules are tested before the policy comes into effect, the policy is the thing that comes into action last, even though it is the first thing that you specify. So, it is correct that the policy is the first thing that you specify when setting up the rules for the chain, it is executed, if at all, after everything else in the chain. To look at things the other way around, if the policy was the first thing was tested, and the policy was set to drop or reject, all of the packets in that chain would be dropped (or rejected). That would be rather secure, but only in the same way that pulling out the network cable would be very secure. |
Why are you jumping to the same chain from both INPUT and OUTPUT?
Why aren't you making rules specially-tailored for either INPUT or OUTPUT instead? |
The reason for that is that the only type of traffic going outwards from the server should be exactly the same as the traffic going into the server.
|
Quote:
Generally speaking, on servers the amount of rules sending packets in state NEW to ACCEPT on the OUTPUT chain should be much, much less than the INPUT chain. In fact, in many cases, the number of packets in state NEW traversing the server's OUTPUT chain should be equal to zero (that is, there shouldn't be any outbound connections allowed at all). I'm mentioning this because it seems to me like you might believe that every one of those INPUT rules requires a corresponding OUTPUT rule, which isn't the case. An OUTPUT rule to deal with packets in states RELATED and ESTABLISHED should take care of most of your needs, with only a handful of rules required for allowing certain outbound connections - and only if necessary. |
It's deliberate for 80 and 22 as this will be running VNC-server via SSH tunnel. However I will take that into account.
|
Quote:
Code:
#!/bin/sh |
All times are GMT -5. The time now is 09:21 PM. |