LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-21-2004, 01:28 AM   #1
melinda_sayang
Member
 
Registered: Dec 2003
Location: Petaling Jaya
Distribution: Ubuntu
Posts: 475

Rep: Reputation: 31
is this firewall rule safe?


Hi,

I use Gentoo and share internet connection to laptop from this guide. So I have this script:
Code:
First we flush our current rules
# iptables -F
# iptables -t nat -F

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is my output of "iptables -L":
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             192.168.1.0/24
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now I can happily share the internet connection to laptop. The question is.... before I share the internet connection to laptop, I use firestarter or guarddog to generate firewall rule. But I am afraid if I do that now, I cann't share the internet connection anymore. So I just stick with this script. Is this a safe firewall for desktop??? It looks safe as I can read the comment: Then we lock our services so they only work from the LAN But I just ask the confirmation.
 
Old 12-21-2004, 07:44 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,769
Blog Entries: 1

Rep: Reputation: 410Reputation: 410Reputation: 410Reputation: 410Reputation: 410
I'm going to take the position that you don't actually have a firewall there. The reasoning is that all of the default policies are set to ACCEPT. That means that any packet that is not explicitly dropped is accepted, and to my way of thinking that means you don't have a firewall.

I'd suggest a good read of the iptables tutorial or do some searching here for example firewalls.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rule for internal ping on firewall Centinul Linux - Networking 3 08-27-2005 09:41 AM
newbie - firewall rule danimalz Linux - Security 3 07-30-2005 07:25 AM
funny new firewall rule tom_from_van Linux - Security 3 07-19-2005 11:39 AM
APF Firewall Rule Help embsupafly Linux - Security 1 03-08-2005 11:00 PM
Need A Firewall Rule linuxboy69 Linux - Software 1 11-26-2003 04:29 PM


All times are GMT -5. The time now is 08:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration