Requesting some community review of my iptables.rules
Hows it going?
I'm just looking any sort of tips, tricks or hints as to how I can or should improve my iptables rules. My server box is Arch Linux, fully up to date with a 3.0 kernel and iptables v1.4.12. The machine has 2 network adapters and acts as a NAT router for my home network. eth0 is DHCP'd from my cable modem, eth1 is a static IP of 172.16.0.1/255.255.0.0 connected to my internal LAN. In addition to IPtables, the server also runs BIND for local/forwarding/caching DNS, ISC DHCPd for DHCP server service inside the LAN, plus an SSH server for admin connection on eth1 and an NTP client to synchronize time with the US ntp.org pool, and finally Samba on the internal network for some basic file serving purposes. I've often questioned the safety of running all of these services on the same machine, but don't exactly have an extra computer lying around with which to put into use to split up all of these things. I haven't noticed anything unusual on the server or any of the other systems on the LAN, and everything functions as I need it, so no "problems" in that sense. I'm just proposing my iptables config just so people here can review it and possibly give me anything noteworthy that they see with it. I've done numerous tests at Steve Gibson's ShieldsUp over at GRC.com, and have a ompletely stealthed setup according to that site, but I'd like some further peer review. The iptables is configured to drop all unsolicited incoming traffic on the public internet (eth0) while allowing all traffic inside the LAN on eth1 to come through, plus some basic listen/establish openings as well as 3 ports for BitTorrent access to 3 different machines inside. Any improvements anyone sees that I should make would be most welcome. Thanks! :cool: Code:
# Generated by iptables-save v1.4.8 on Fri Jul 29 01:01:30 2011 |
The policy on your FORWARD queue is set to ACCEPT.
The rest of your rules would make more sense if it were set to DROP. |
Quote:
|
Quote:
The rules in your INPUT chain do not affect the rules in your OUTPUT chain nor your FORWARD chain. (repeat with INPUT, OUTPUT and FORWARD swapped around) |
Ah, I see. Thanks, i've changed that to DROP.
|
hello there,
i'm in the stage of learning iptables and i need more real world samples to assist me in my learning process. the case mentioned above is what i wanted to do with my linux server but i don't seem to understand the code generated by iptables-save. can i request for this code encoded in iptables syntax? is it ok for you to post here the complete code? i know this would really help me. thanks a lot. |
Well, the code there is just the contets of my iptables.rules file, it's not really "executable" code. On my system (Arch linux) it's located in /etc/iptables/iptables.rules. As far as I know, any iptables should be able to read this file.
|
All times are GMT -5. The time now is 08:56 PM. |