is this firewall rule safe?

melinda_sayang · 12-21-2004, 01:28 AM

Hi,

I use Gentoo and share internet connection to laptop from this guide. So I have this script:

Code:

First we flush our current rules
# iptables -F
# iptables -t nat -F

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is my output of "iptables -L":

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             192.168.1.0/24
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now I can happily share the internet connection to laptop. The question is.... before I share the internet connection to laptop, I use firestarter or guarddog to generate firewall rule. But I am afraid if I do that now, I cann't share the internet connection anymore. So I just stick with this script. Is this a safe firewall for desktop??? It looks safe as I can read the comment: Then we lock our services so they only work from the LAN But I just ask the confirmation.

Hangdog42 · 12-21-2004, 07:44 AM

I'm going to take the position that you don't actually have a firewall there. The reasoning is that all of the default policies are set to ACCEPT. That means that any packet that is not explicitly dropped is accepted, and to my way of thinking that means you don't have a firewall.

I'd suggest a good read of the iptables tutorial or do some searching here for example firewalls.