IPtables Script Review
 

Hello everyone! I've written an IPtables script for my server which won't be routing anything. I'd like any input on anything you see that may not work (I haven't tested this yet as I don't want to lock myself out of SSH!).


Okay below's the script. Are the protocols correct? I'm not sure which run on TCP and which on UDP. Also, are ICMP packets such as ping dropped because of my DROP default for the input chain? Shouldn't I add -j ACCEPT to the state line as well?

Thanks!

HI,

you need to put 1 instead of 0 here.

echo 1 > /proc/sys/net/ipv4/ip_forward

to forward the packets.

akumar@roseint.com

Why should he forward his packets? The machine in not a gateway.
And why do you put OUTPUT -> ACCEPT?

I want packets heading out of the machine to be allowed at first.. once I test this and get the machine configured I'll probably deny those and add specific holes to allow.

Will hit the INPUT DROP first. I would move that to last in the chain.

Will hit the INPUT DROP first. I would move that to last in the chain.
Take a closer look. The first INPUT rule is the policy rule. The first rule that will really be at the top of the INPUT chain is the --dport 80 rule.

In general it's a pretty basic firewall, not bad just basic. The second --dport 80 rule is redundant (you are already allowing all port 80 traffic through with this rule:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80

so you don't need this one:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN

I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs). You could do some egress filtering (as per dominants post), restrict DNS packets to only those of your DNS server (or your ISPs) and systems on your network. If you want to get a little more complex, you could add some things like burst limiting/logging rules and drop spoofed IPs.

cc is correct. you dont want your ftp clients controlling the connection with active ftp. passive leaves the server in control. if you are using vsftpd, you can state a range of ports to use for passive ftp. heres what you want to set in the vsftpd.conf...

other ftpd's have similar settings.

you are missing -s [source] on all your rules. so services like http/smtp/pop you want to have -s 0/0 set for accept from anywhere. if you are afraid of locking yourself out of ssh, you can use the -s flag and a few spesific trusted IPs, or your intenal network, to give yourself a backdoor to the system in the case you blow up your connection. you might want to set up a rule to accep all from localhost, just in case [ever had this happen? i have. woo] things blow up on your local interface.

if you are running apache, you may also want to open up port 443 for https if you need secure communications.