LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   is this firewall rule safe? (https://www.linuxquestions.org/questions/linux-security-4/is-this-firewall-rule-safe-268671/)

melinda_sayang 12-21-2004 01:28 AM
is this firewall rule safe?
 
Hi,

I use Gentoo and share internet connection to laptop from this guide. So I have this script:
Code:
First we flush our current rules
# iptables -F
# iptables -t nat -F

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is my output of "iptables -L":
Code:
Chain INPUT (policy ACCEPT)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere
REJECT    udp  --  anywhere            anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT    udp  --  anywhere            anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
DROP      tcp  --  anywhere            anywhere            tcp dpts:0:1023
DROP      udp  --  anywhere            anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination
DROP      all  --  anywhere            192.168.1.0/24
ACCEPT    all  --  192.168.1.0/24      anywhere
ACCEPT    all  --  anywhere            192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Now I can happily share the internet connection to laptop. The question is.... before I share the internet connection to laptop, I use firestarter or guarddog to generate firewall rule. But I am afraid if I do that now, I cann't share the internet connection anymore. So I just stick with this script. Is this a safe firewall for desktop??? It looks safe as I can read the comment: Then we lock our services so they only work from the LAN But I just ask the confirmation.

Hangdog42 12-21-2004 07:44 AM
I'm going to take the position that you don't actually have a firewall there. The reasoning is that all of the default policies are set to ACCEPT. That means that any packet that is not explicitly dropped is accepted, and to my way of thinking that means you don't have a firewall.

I'd suggest a good read of the iptables tutorial or do some searching here for example firewalls.


All times are GMT -5. The time now is 08:53 AM.