Firewall Rules for daemons (Iptables)

robeb · 05-27-2002, 05:15 PM

When running daemons on ports like, SMTP, HTTP, POP-3, etc, what are some of the more secure firewall rules...

For example,

Iptables -A INPUT -p tcp --dport 22,

opens up port 22 for ssh. Is that all I need or should I be more restrictive?

Another example,

Iptables -A INPUT -p tcp --dport 80

vs.

Iptabes -A INPUT -i extif -m state --state \ NEW,ESTABLISHED,RELATED -p tcp -s -d extip --dport 80 -j ACCEPT

This would make port 80 more secure by specifying only packets going to the external NIC (extif), on the external IP (extip) which are new, established or related connections, and destinted to port 80 are allowed.

Do you want to be this restrictive with all your ports?

- Thank you

Noerr · 05-27-2002, 05:40 PM

www.liunuxguruz.org/iptables

robeb · 05-27-2002, 06:54 PM

that appears to be a broken link...oops, no I just misread it

www.linuxguruz.org/iptables

thank Noerr

Noerr · 05-28-2002, 03:27 AM

sorry; typo

unSpawn · 05-28-2002, 12:20 PM

Do you want to be this restrictive with all your ports?

IMO this depends on what's the boxes purpose.
For instance if it's a "free for all" ssh shell server you wouldn't be able to go beyond blocking traffic anomalies (unroutables, bogoid flags) on --dport 22. OTOH, if you need to guarantee ppl access to it, then meditating on the "deny anything not explicitly allowed" mantra I'd set it up for the ranges ppl administer/access it from (if managable ofcourse).

Noerr · 05-31-2002, 04:27 PM

it's much more to firewall than just
-p drop
-dport xx -J ACCEPT
but it's good to be restrictive, if you want to play safe