Thanks for your further input.
Yesterday I installed latest Ubuntu (already have Deb-test 7 sid
ThinkPad-T42) to see how it looks. NO FIREWALL at all, everything open.
Meanwhile I enhanced my iptables script to allow only ssh and nfs within
my network as well as limit damage from www, as follows, I used your and
others input to upgrade my previously overly simple script:
=================================================
#!/bin/sh
# /OPT/sbin/ziptables
# /etc/init.d/local
#
# FLUSH, DELETE, ZERO
iptables -t mangle -F # flush: mangle,nat,filter
iptables -t nat -F
iptables -t filter -F
iptables -X # delete existing chains
iptables -Z # zero counters
#
# Following may be redundant, but cannot hurt
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/ip_forward
# ---------------------------------------------------------- unexpected
# DROP any fragments and "NEW but not syn"
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP -f
iptables -A INPUT -j DROP -m state --state NEW -p tcp ! --syn
iptables -A INPUT -j DROP -m state --state NEW -p tcp --tcp-flags
ALL ALL
iptables -A INPUT -j DROP -m state --state NEW -p tcp --tcp-flags
ALL NONE
# ---------------------------------------------------------- expected
# ACCEPT all expected LocalNet & WWW
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# ----------------------------------------------------------- LOOPBACK:
# ALLOW: within local-host(loopback): ALL
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # localhost.localdomain
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 #
# ==========================================================LOCAL-NET:
# ALLOW: within local-network=:
# TCP: 22=ssh,111=portmap,2049=nfs,631=print
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 -p tcp \
-m state --state NEW -m multiport --ports 22,67,68,111,631,2049,33333
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28 -p tcp \
-m state --state NEW -m multiport --ports 22,111,631,2049,33333
# UDP: 53=dns,33333=mount
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 -p udp \
-m state --state NEW -m multiport --ports 22,53,67,68,111,2049,33333
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28 -p udp \
-m state --state NEW -m multiport --ports 22,53,111,2049,33333
# ICMP: allow NFS, avoid ping etc
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 -p icmp -m icmp
--icmp-type 3
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28 -p icmp -m icmp
--icmp-type 3
# NFS/mount: force static port
## export MOUNTD_PORT="33333"
rpc.mountd -p 33333
# ============================================================ WWW-NET:
# ALLOW for individual ports/processes in foreign-WWW network
# TCP: 21=ftp,25=smtp,37=time,80=http,110=pop3,119=usenet,443=https
# UDP: 53=dns
iptables -A OUTPUT -j ACCEPT -p udp -m state --state NEW --dport 53
iptables -A OUTPUT -j ACCEPT -p tcp -m state --state NEW \
-m multiport --ports 21,25,37,80,110,119,443
# ============================================================ Log
# Log drop throughs for diagnostics, -> /var/log/messages
iptables -A INPUT -j LOG -m limit --limit 5/m # avoid flood
iptables -A INPUT -j LOG --log-prefix ZZI-
iptables -A OUTPUT -j LOG --log-prefix ZZO-
iptables -A INPUT -j DROP # drop all unexpected
iptables -A OUTPUT -j DROP # drop all unexpected
iptables -L
#
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
