LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-25-2003, 04:56 PM   #1
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
just want to be sure my Iptables script is safe enought


I have a box here acting as a router. Soon (probably in 1 week) I start using it for production (meaning I'll no longer use it only for my personnal use but that someone will pay me to host his website).
So eh... I'm pretty scare about it hehehe I just want to be CERTAIN I haven't forgot something in my iptables script. It is working well right now, but... just to be sure...

The script is at this adress : My Iptables Script , take a look and tell me what you think about it, if I forgot something important, if I'm totally paranoiac or just usefull tips.

NB: This script is made to run as a rc script, so it has a start and a stop function. Start refer to stop before doing anything.

NB2: elf.servebeer.com is NOT the box where this script is used. I say it to avoid lame to having fun with my "router".
 
Old 08-01-2003, 02:09 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Except "acceptable" weirdness like running SSH on ports not designated for SSH usage, the only thing I'd say is drop ICMP messages other than those you need for error control: type 3's (codes 0,1,3,6,7), and traceroute: type 11.

The way you made work of rejecting may not seem OK for people bent on having a "stealthed" fw, really is well done. If you want to "see" final chain "decisions" I'd suggest adding LOG target rules before the final "verdict". That makes for good ingress/egress filtering, and if you can parse it right it shoud be a good addition having some "early warning" capabilities wrt traffic "weirdness" and troubleshooting traffic in general.

Looks good IMHO.
 
Old 08-01-2003, 09:35 PM   #3
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
Thank you for your reply, unSpawn.

Your humble opinion is very important to me since you are the modrator here

just question : about this :
Quote:
he only thing I'd say is drop ICMP messages other than those you need for error control: type 3's (codes 0,1,3,6,7), and traceroute: type 11.
My notes tell me that ICMP type 1 and 7 are unassigned and that 6 is ICMP redirection... Is my notes too old or.. ?

And thanx for your idea about that rules before the defaut drop
 
Old 08-02-2003, 04:34 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
AFAIK you should read it the other way around :-] A type 3 code 1 is unreachable: host and type 3 code 7 is unreachable: dest host unknown...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
iptables script thegreatest Linux - Security 1 11-30-2005 06:24 AM
safe script parameters Guttorm Programming 1 03-04-2005 01:19 PM
Feel theres not enought support for X and Screen Refresh, Prove me wrong lol :-P ShadowRunner Linux - Newbie 7 11-23-2003 07:58 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 10:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration