Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-21-2004, 02:28 AM   #1
Registered: Dec 2003
Location: Petaling Jaya
Distribution: Ubuntu
Posts: 475

Rep: Reputation: 31
is this firewall rule safe?


I use Gentoo and share internet connection to laptop from this guide. So I have this script:
First we flush our current rules
# iptables -F
# iptables -t nat -F

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i eth0 -d -j DROP
# iptables -A FORWARD -i eth0 -s -j ACCEPT
# iptables -A FORWARD -i eth1 -d -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is my output of "iptables -L":
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere   
ACCEPT     all  --       anywhere
ACCEPT     all  --  anywhere   

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now I can happily share the internet connection to laptop. The question is.... before I share the internet connection to laptop, I use firestarter or guarddog to generate firewall rule. But I am afraid if I do that now, I cann't share the internet connection anymore. So I just stick with this script. Is this a safe firewall for desktop??? It looks safe as I can read the comment: Then we lock our services so they only work from the LAN But I just ask the confirmation.
Old 12-21-2004, 08:44 AM   #2
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
I'm going to take the position that you don't actually have a firewall there. The reasoning is that all of the default policies are set to ACCEPT. That means that any packet that is not explicitly dropped is accepted, and to my way of thinking that means you don't have a firewall.

I'd suggest a good read of the iptables tutorial or do some searching here for example firewalls.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Rule for internal ping on firewall Centinul Linux - Networking 3 08-27-2005 10:41 AM
newbie - firewall rule danimalz Linux - Security 3 07-30-2005 08:25 AM
funny new firewall rule tom_from_van Linux - Security 3 07-19-2005 12:39 PM
APF Firewall Rule Help embsupafly Linux - Security 1 03-09-2005 12:00 AM
Need A Firewall Rule linuxboy69 Linux - Software 1 11-26-2003 05:29 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:21 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration