whati is your opinion about my firewall rules?

GT-GEO · 01-31-2002, 10:00 AM

i have not nat. all ip-s are real in my network.

#MODULES
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
#cleare rules
iptables -F
#INPUT-- external interface on server.
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth1 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth1 -s 213.157.1.1/27 -j DROP
iptables -A INPUT -i eth1 -s 213.157.1.2 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/255.255.255.255 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 6060 -j DROP #squid = 6060 port
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 4040 -j DROP #socks = 4040 port
iptables -A INPUT -i eth1 -s 0/0 -p UDP --dport 6060 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p UDP --dport 4040 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 22 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 22 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 110 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 110 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 1032 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 1812 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 1813 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 3130 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p TCP --dport 3306 -j DROP
iptables -A INPUT -i eth1 -s 0/0 -p UDP --dport 3306 -j DROP
#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#OUT--TCP
iptables -A FORWARD -o eth1 -s 213.157.1.1/27 -p TCP --dport 110 -d pop.mail.yahoo.com -j ACCEPT
iptables -A FORWARD -o eth1 -s 213.157.1.1/27 -p TCP --dport 110 -d mail.online.ge -j ACCEPT
#INPUT--TCP
iptables -A FORWARD -i eth1 -s pop.mail.yahoo.com -p TCP --sport 110 -d 213.157.1.1/27 -j ACCEPT
iptables -A FORWARD -i eth1 -s mail.online.ge -p TCP --sport 25 -d 213.157.1.1/27 -j ACCEPT
#OUT--ICMP
iptables -A FORWARD -o eth1 -s 213.157.1.1/27 -p ICMP --icmp-type 8 -j ACCEPT
#INPUT--ICMP
iptables -A FORWARD -i eth1 -d 213.157.1.1/27 -p ICMP --icmp-type 0 -j ACCEPT
iptables -A FORWARD -i eth1 -s 0/0 -p ICMP --icmp-type 8 -j DROP
iptables -A FORWARD -i eth1 -d 213.157.1.1/27 -p ICMP --icmp-type 3 -j ACCEPT
iptables -A FORWARD -i eth1 -d 213.157.1.1/27 -p ICMP --icmp-type 5 -j ACCEPT
iptables -A FORWARD -i eth1 -d 213.157.1.1/27 -p ICMP --icmp-type 11 -j ACCEPT
#
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#DENY ALL
iptables -A FORWARD -i eth1 -j DROP