Iptables user-defined chains
Hola,
Tonight i started making some firewall renovations to make the rules more manageable. I have created several different custom chains to segregate different rule sets from each other. Everything is going well with the exception of my DNS servers. I have posted my config for my firewall below.
Code:
# Generated by iptables-save v1.3.6 on Thu Jun 21 00:13:02 2007
*filter
:INPUT DROP [110:7953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2214:1562876]
:BADHOST - [0:0]
:BADPORT - [0:0]
:GOODHOST - [0:0]
:SERVPORT - [0:0]
-A INPUT -j BADHOST
-A INPUT -j GOODHOST
-A INPUT -j SERVPORT
-A INPUT -j BADPORT
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG
-A BADHOST -s 59.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 222.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 125.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 207.38.5.161 -j DROP
-A BADHOST -s 204.15.193.132 -j DROP
-A BADHOST -s 220.166.64.216 -j DROP
-A BADHOST -s 64.146.9.218 -j DROP
-A BADHOST -s 218.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 87.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 122.0.0.0/255.0.0.0 -j DROP
-A BADHOST -s 122.124.128.141 -j DROP
-A BADHOST -s 69.93.167.202 -j DROP
-A BADHOST -s 66.98.254.217 -j DROP
-A BADHOST -s 64.146.9.218 -j DROP
-A BADPORT -p udp -m udp --dport 137:139 -j DROP
-A BADPORT -p tcp -m tcp --dport 139 -j DROP
-A BADPORT -p udp -m udp --dport 1025:1027 -j DROP
-A BADPORT -p udp -m udp --dport 67:68 -j DROP
-A BADPORT -p tcp -m tcp --dport 2967 -j DROP
-A BADPORT -p tcp -m tcp --dport 5900:5901 -j DROP
-A GOODHOST -s 70.60.0.0/255.252.0.0 -j ACCEPT
-A SERVPORT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A SERVPORT -d <WEB IP> -p tcp -m multiport --dports 22,80 -j ACCEPT
-A SERVPORT -d <WEB IP> -p tcp -m tcp --dport 80 -j ACCEPT
-A SERVPORT -d <DNS IP> -p udp -m udp --sport 53 --dport 53 -j ACCEPT
-A SERVPORT -d <DNS IP> -p tcp -m tcp --sport 53 --dport 53 -j ACCEPT
-A SERVPORT -d <MAIL IP> -p tcp -m multiport --dports 25,993 -j ACCEPT
-A SERVPORT -s <IP> -d <IP> -p udp -m multiport --dports 27500,27015 -j ACCEPT
-A SERVPORT -s <IP> -d <IP> -p udp -m udp --dport 27500 -j ACCEPT
COMMIT
I am not sure what i am missing... but i am obviously missing something.
EDIT: I see my stupid mistake. What are the chances of the source port being 53? ;)
If someone would like to point out a way to make these rules better, i am open for suggestions.
|