IPtables setup question thoughts?

lo-kəy · 10-23-2008, 09:39 AM

Hi,
I have three questions regarding iptables:

1. Here's my basic ruleset. Is this decent for a general
use setup direct connected to the internet?

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
(optional, if I'm feeling polite) iptables -A -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

2. I have tried to add

Code:

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j ACCEPT

To allow connections to a webserver. The odd thing is with that rule,
a scan from say, GRC will show 80 open, but I cannot get the 'It Works'
page from either a proxy or typing my ip in the address bar.

And no log entries for the request.

However, If I flush rules, and set the input policy to ACCEPT,
I can get the page.

3. Logging The best logging rule I have come up with is:

Code:

iptables -A INPUT -m limit --limit 15/minute -j LOG \--log-level 7 --log-prefix "Firewall"

How best to parse the tons of stuff this produces? A grep script
or any apps that could sort it out for me?
For example, if someone was poking around rattling doors and such
over a period of time, I would never pick it up out of all the noise.

Thanks for any input!!!

salasi · 10-23-2008, 06:44 PM

Quote:

Originally Posted by lo-kəy

Hi,
I have three questions regarding iptables:

1. Here's my basic ruleset. Is this decent for a general
use setup direct connected to the internet?

Is the iptables ruleset completely blank before you run this, or are there already some rules set up? Could you list the ruleset, including policies (iptables -L)?

Quote:

How best to parse the tons of stuff this produces?

Well, it would be best not to do this. Firstly because you will be logging too much stuff, and inflating log files more than you need and battering your hard disk. And secondly, as you have discovered, if you have a logfile filled with a mass of noise, you'll probably never pay it the attention that it should get.

In general, if you have a mass of packets coming your way and you can deal with the packets that make seem to make obvious sense (in context, say relateds, existing connections, etc) and just be left with the ones that need special attention (packets that don't seem to be part of, or related to, an existing connection) and only do any loggging on 'the left overs', you'll have a much happier life.

Any chance of saying a few words about your network (is there a router/what is the 'net interface? what are the IP addresses?, that kind of thing)?

lo-kəy · 10-23-2008, 09:30 PM

Thanks for your reply,

First to clarify, yes this would be a new ruleset with all policies originally 'ALLOW'
(say a fresh slackware setup) I think you are wondering if I had fedora or something with a
preinstalled iptables setup.

Second, you lost me on the logging. The high volume of entries (repeats cut down by the iptables
rule) is WHY I need some direction on automatically parsing and sorting.

And near a thousand max lines of text daily with log rotation isn't going to give me hard drive
problems soon.