Re: IpTables Question for Eth1
By Wed, 20 Apr 2005 17:24:40 +0000 (UTC), "David Serrano (Hue-Bond)"
<responder_solo_en_el_grupo@yahoo.es> decided to post
"Re: IpTables Question for Eth1" to comp.os.linux.networking:
>/, mié20050420@19:05:53(CEST):
>>
>> I'd like to allow, by MAC address, one machine to ssh in. Is opening port
>> 22 INPUT sufficient for this?
>
>Yes, using the mac module to do the actual matching against the desired MAC.
>
>
>> Finally, is UDP necessary for the web-server?
>
>No. HTTP operates con 80/TCP only. If you want to use SSL, you'll also want
>to open 443/TCP though.
>
>
>> ## -- DENY rules
>> iptables -A INPUT -p tcp -i eth1 --dport 0:79 -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 0:79 -j REJECT
>>
>> iptables -A INPUT -p tcp -i eth1 --dport 81:9999 -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 81:9999 -j REJECT
>>
>> iptables -A INPUT -p tcp -i eth1 --dport 10001: -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 10001: -j REJECT
>
>There's no need to specify individual ports or protocols since packets
>reaching this rules are not either dport 80/TCP nor 10000/TCP. So doing
>just:
>
>iptables -A INPUT -i eth1 -j REJECT
>
>is enough.
>
>wrt to outgoing packets, it's not bad policy to do '-P OUTPUT DROP' and open
>destination IP's/ports explicitly so a user eventually compromising the
>system won't be able to download anything from the net. In this case,
>accepting packets with /source/ ports 80 and 10000 would be enough.
>
>Another approach would be to use the state module, then allowing only NEW
>and ESTABLISHED packets with dports 80 and 10000, dropping anything else and
>not allowing anything outgoing.
Thanks. That's a big help. Before getting your message, I've come to this
script, which is working as intended (below). I will try to update it per
your suggestions.
I've seen on usenet, I think, that good it's good practice to use DROP or
REJECT by default as policy, say for INPUT and OUTPUT. But when I do this
for INPUT, everything gets funky -- some www request packets get through,
but not all, and essentially, my php scripts fail to complete and send out
pages. I'm reading more, hoping I can append some logging for nearly
everything in hopes of seeing what fails with INPUT:policy:DROP.
/var/log/messages is the only place I seen any record of actions by
default, and nothing was applicable (wrong timestamps).
Looks like I could drop some of the protocol specifics.
#!/bin/bash
# clear (flush) existing chains and rules:
iptables -F
# remove old chains: (kills any error messages)
iptables -X AWDSET
iptables -X AMD64
# new chains: (in case e.g. reboot, explicit create)
iptables -N AWDSET
iptables -N AMD64
# policies:
## iptables -P INPUT DROP
iptables -P FORWARD DROP
##--------------------------------------INPUT rules--##
# use AMD64 chain for this MAC address:
iptables -A INPUT -m mac --mac-source 00:xx:xx:xx:xx:xx -j AMD64
iptables -A INPUT -i eth0 -p tcp -j ACCEPT
iptables -A INPUT -i eth0 -p udp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -j AWDSET
iptables -A INPUT -i eth1 -p udp -j AWDSET
iptables -A INPUT -i eth1 -p icmp -j AWDSET
iptables -A INPUT -p tcp -i eth1 --dport 0: -j DROP
iptables -A INPUT -p udp -i eth1 --dport 0: -j DROP
iptables -A INPUT -p icmp -i eth1 -j DROP
##--------------------------------------AMD64 rules--##
# allow (ssh) connection on port22
iptables -A AMD64 -p tcp -i eth1 --dport 22 -j ACCEPT
iptables -A AMD64 -p udp -i eth1 --dport 22 -j ACCEPT
# open http + https
iptables -A AMD64 -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A AMD64 -p udp -i eth1 --dport 80 -j ACCEPT
iptables -A AMD64 -p tcp -i eth1 --dport 10000 -j ACCEPT
# open icmp
iptables -A AMD64 -p icmp -i eth1 -j ACCEPT
# close all other ports:
iptables -A AMD64 -p tcp -i eth1 --dport 0: -j DROP
iptables -A AMD64 -p udp -i eth1 --dport 0: -j DROP
##-------------------------------------AWDSET rules--##
# open http + https:
iptables -A AWDSET -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A AWDSET -p udp -i eth1 --dport 80 -j ACCEPT
iptables -A AWDSET -p tcp -i eth1 --dport 10000 -j ACCEPT
# close all other ports:
iptables -A AWDSET -p tcp -i eth1 --dport 0: -j DROP
iptables -A AWDSET -p tcp -i eth1 --dport 0: -j DROP
--
find / -iname "*gw*" -exec rm -rf {} \;
In heaven, there is no beer,
That's why we drink it here,
And when we're all gone from here,
Our friends will be drinking all the beer!
-- Famous old Czech song about beer --
|