LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Requesting some community review of my iptables.rules (https://www.linuxquestions.org/questions/linux-networking-3/requesting-some-community-review-of-my-iptables-rules-896907/)

psycroptic 08-12-2011 01:01 AM
Requesting some community review of my iptables.rules
 
Hows it going?

I'm just looking any sort of tips, tricks or hints as to how I can or should improve my iptables rules. My server box is Arch Linux, fully up to date with a 3.0 kernel and iptables v1.4.12. The machine has 2 network adapters and acts as a NAT router for my home network. eth0 is DHCP'd from my cable modem, eth1 is a static IP of 172.16.0.1/255.255.0.0 connected to my internal LAN. In addition to IPtables, the server also runs BIND for local/forwarding/caching DNS, ISC DHCPd for DHCP server service inside the LAN, plus an SSH server for admin connection on eth1 and an NTP client to synchronize time with the US ntp.org pool, and finally Samba on the internal network for some basic file serving purposes.

I've often questioned the safety of running all of these services on the same machine, but don't exactly have an extra computer lying around with which to put into use to split up all of these things. I haven't noticed anything unusual on the server or any of the other systems on the LAN, and everything functions as I need it, so no "problems" in that sense. I'm just proposing my iptables config just so people here can review it and possibly give me anything noteworthy that they see with it. I've done numerous tests at Steve Gibson's ShieldsUp over at GRC.com, and have a ompletely stealthed setup according to that site, but I'd like some further peer review.

The iptables is configured to drop all unsolicited incoming traffic on the public internet (eth0) while allowing all traffic inside the LAN on eth1 to come through, plus some basic listen/establish openings as well as 3 ports for BitTorrent access to 3 different machines inside.

Any improvements anyone sees that I should make would be most welcome. Thanks! :cool:

Code:
# Generated by iptables-save v1.4.8 on Fri Jul 29 01:01:30 2011
*nat
:PREROUTING ACCEPT [3:310]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12345 -j DNAT --to-destination 172.16.0.10
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12346 -j DNAT --to-destination 172.16.0.11
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12347 -j DNAT --to-destination 172.16.0.12
-A PREROUTING -i eth0 -p tcp -m tcp --dport 12348 -j DNAT --to-destination 172.16.0.13
-A POSTROUTING -s 172.16.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 29 01:01:30 2011
# Generated by iptables-save v1.4.8 on Fri Jul 29 01:01:30 2011
*filter
:INPUT DROP [3:310]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [15:1460]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A fw-interfaces -i eth1 -j ACCEPT
-A fw-open -d 172.16.0.10/32 -p tcp -m tcp --dport 12345 -j ACCEPT
-A fw-open -d 172.16.0.11/32 -p tcp -m tcp --dport 12346 -j ACCEPT
-A fw-open -d 172.16.0.12/32 -p tcp -m tcp --dport 12347 -j ACCEPT
-A fw-open -d 172.16.0.13/32 -p tcp -m tcp --dport 12348 -j ACCEPT
COMMIT
# Completed on Fri Jul 29 01:01:30 2011

janhe 08-12-2011 05:41 AM
The policy on your FORWARD queue is set to ACCEPT.
The rest of your rules would make more sense if it were set to DROP.

psycroptic 08-12-2011 10:19 AM
Quote:
Originally Posted by janhe (Post 4440680)
The policy on your FORWARD queue is set to ACCEPT.
The rest of your rules would make more sense if it were set to DROP.
I wouldn't think this would matter, seeing as my INPUT chain is set to drop, and AFAIK all traffic that passes the FORWARD chain must go through the INPUT chain first?

janhe 08-12-2011 10:26 AM
Quote:
Originally Posted by psycroptic (Post 4440950)
I wouldn't think this would matter, seeing as my INPUT chain is set to drop, and AFAIK all traffic that passes the FORWARD chain must go through the INPUT chain first?
Nope, see http://www.netfilter.org/documentati...g-HOWTO-6.html (written by the guy who wrote iptables).

The rules in your INPUT chain do not affect the rules in your OUTPUT chain nor your FORWARD chain.
(repeat with INPUT, OUTPUT and FORWARD swapped around)

psycroptic 08-12-2011 10:42 AM
Ah, I see. Thanks, i've changed that to DROP.

leo27 08-26-2011 04:40 AM
hello there,

i'm in the stage of learning iptables and i need more real world samples to assist me in my learning process. the case mentioned above is what i wanted to do with my linux server but i don't seem to understand the code generated by iptables-save. can i request for this code encoded in iptables syntax? is it ok for you to post here the complete code? i know this would really help me. thanks a lot.

psycroptic 08-26-2011 11:49 AM
Well, the code there is just the contets of my iptables.rules file, it's not really "executable" code. On my system (Arch linux) it's located in /etc/iptables/iptables.rules. As far as I know, any iptables should be able to read this file.


All times are GMT -5. The time now is 08:56 PM.