LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-27-2002, 06:15 PM   #1
robeb
Member
 
Registered: May 2002
Posts: 113

Rep: Reputation: 15
Firewall Rules for daemons (Iptables)


When running daemons on ports like, SMTP, HTTP, POP-3, etc, what are some of the more secure firewall rules...

For example,

Iptables -A INPUT -p tcp --dport 22,

opens up port 22 for ssh. Is that all I need or should I be more restrictive?

Another example,

Iptables -A INPUT -p tcp --dport 80

vs.

Iptabes -A INPUT -i extif -m state --state \ NEW,ESTABLISHED,RELATED -p tcp -s -d extip --dport 80 -j ACCEPT

This would make port 80 more secure by specifying only packets going to the external NIC (extif), on the external IP (extip) which are new, established or related connections, and destinted to port 80 are allowed.

Do you want to be this restrictive with all your ports?

- Thank you
 
Old 05-27-2002, 06:40 PM   #2
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
www.liunuxguruz.org/iptables
 
Old 05-27-2002, 07:54 PM   #3
robeb
Member
 
Registered: May 2002
Posts: 113

Original Poster
Rep: Reputation: 15
that appears to be a broken link...oops, no I just misread it

www.linuxguruz.org/iptables

thank Noerr

Last edited by robeb; 05-27-2002 at 07:56 PM.
 
Old 05-28-2002, 04:27 AM   #4
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
sorry; typo
 
Old 05-28-2002, 01:20 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Re: Firewall Rules for daemons (Iptables)

Do you want to be this restrictive with all your ports?

IMO this depends on what's the boxes purpose.
For instance if it's a "free for all" ssh shell server you wouldn't be able to go beyond blocking traffic anomalies (unroutables, bogoid flags) on --dport 22. OTOH, if you need to guarantee ppl access to it, then meditating on the "deny anything not explicitly allowed" mantra I'd set it up for the ranges ppl administer/access it from (if managable ofcourse).
 
Old 05-31-2002, 05:27 PM   #6
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
it's much more to firewall than just
-p drop
-dport xx -J ACCEPT
but it's good to be restrictive, if you want to play safe
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
managing daemons (iptables, squid, named, etc) under SuSE retiem SUSE / openSUSE 17 03-16-2005 03:35 AM
Problem Iptables, Firewall rules. Can anybody help ? ZliTroX Linux - Networking 9 09-06-2004 05:48 PM
iptables firewall rules not surviving reboot BurceB7 Linux - Newbie 3 03-11-2004 12:45 PM
Suse firewall and custom iptables rules guerilla fighta Linux - Software 1 01-05-2003 08:44 AM
Firewall Rules Problem with Iptables JereBear Linux - Networking 1 06-16-2002 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration