> > Hi, > > what exactly is your problem? all i can see is good firewall. >
That's why I sent this e-mail. To see if there were any problems. I didn't want to put this firewall on the Internet until I knew it was good. So, if it's good...Thanks! If there is something that you see that might be a problem, could you let me know. Thanks, Joseph > > Hello, > > > > I'm looking for suggestions on my iptables rule set. > > > > There are three interfaces in this server: > > eth0 - <internet-address> > > eth1 - <lan-address> > > eth2 - <dmz-address> > > > > ### Create Chains > > iptables -N IN_LO > > iptables -N OUT_LO > > iptables -N IN_ETH0 > > iptables -N OUT_ETH0 > > iptables -N IN_ETH1 > > iptables -N OUT_ETH1 > > iptables -N IN_ETH2 > > iptables -N OUT_ETH2 > > iptables -N BLOCKED_PACKETS > > iptables -N ICMP_PACKETS > > > > ### POLICIES > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > ### INPUT > > iptables -A INPUT -j BLOCKED_PACKETS > > iptables -A INPUT -p icmp -j ICMP_PACKETS > > iptables -A INPUT -i lo -j IN_LO > > iptables -A INPUT -i eth0 -j IN_ETH0 > > iptables -A INPUT -i eth1 -j IN_ETH1 > > iptables -A INPUT -i eth2 -j IN_ETH2 > > > > ### FORWARD > > iptables -A FORWARD -j BLOCKED_PACKETS > > iptables -A FORWARD -p icmp -j ICMP_PACKETS > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j > > ACCEPT > > > > ### OUTPUT > > iptables -A OUTPUT -j BLOCKED_PACKETS > > iptables -A OUTPUT -p icmp -j ICMP_PACKETS > > iptables -A OUTPUT -o lo -j OUT_LO > > iptables -A OUTPUT -o eth0 -j OUT_ETH0 > > iptables -A OUTPUT -o eth1 -j OUT_ETH1 > > iptables -A OUTPUT -o eth2 -j OUT_ETH2 > > > > ### BLOCKING_PACKETS > > iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP > > iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ > > SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset > > iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ > > -j DROP > > iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP > > # should this be all three interfaces? > > iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p > > udp \ --dport 135:139 -j DROP > > iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \ > > --dport 67:68 -j DROP > > > > ### ICMP_PACKETS > > # are all of these really needed? Which ones should I not > > accept? iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT > > iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT iptables > > -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT iptables -A > > ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT iptables -A > > ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT iptables -A > > ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT > > > > ### IN_LO (localhost) > > # are these really needed? Why? > > iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT > > iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT > > iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT > > iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT > > > > ### IN_ETH0 (Internet) > > iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > ### IN_ETH1 (LAN) > > iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > ### IN_ETH2 (DMZ) > > iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > ### OUT_LO (Localhost) > > # are these really needed? Why? > > iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT > > iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT > > iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT > > iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT > > > > ### OUT_ETH0 (Internet) > > iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > ### OUT_ETH1 (LAN) > > iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > ### OUT_ETH2 (DMZ) > > iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \ > > --state RELATED,ESTABLISHED -j ACCEPT > > > > Specific Services: > > ------------------ > > ### DNS > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \ > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP> > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \ > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP> > > iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \ > > -m state --state NEW -j ACCEPT > > iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \ > > --state NEW -j ACCEPT > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53 > > \ -j SNAT --to-source <dns-internet-IP> > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53 > > \ -j SNAT --to-source <dns-internet-IP> > > > > ### FTP > > iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \ > > --dport 21 -j DNAT --to-destination <ftp-DMZ-IP> > > iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \ > > -m state --state NEW -j ACCEPT > > iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21 > > \ -j SNAT --to-source <ftp-internet-IP> > > > > # I have other services, but if these are right I should be fine > > > > What about these two lines? > > - iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT > > - iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT > > > > > > Thanks, > > > > Joseph
