NetFilter connection tracking

Olaf Meeuwissen Mon, 18 Nov 2002 05:16:14 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear .debs,


I've setup iptables on my woody box with a policy to drop.  After some
tinkering I'd punched holes for the things I wanted to do (note this is
a *client* machine).  Then I got into the wonders of setting up rules
for active and passive FTP.  It works now, but I am asking myself
whether I can simplify my rules for all those other protocols.

For example, to get web browsing going I have:

  # Allow HTTP connections initiated from here and replies back in, but
  # do NOT allow connection requests from servers on the outside in.
  #
  /sbin/iptables --append $O --protocol tcp               \
      --source      ${PPP_LOCAL} --source-port      1024: \
                                 --destination-port   80  \
      --jump ACCEPT
  /sbin/iptables --append $I --protocol tcp ! --syn       \
                                 --source-port        80  \
      --destination ${PPP_LOCAL} --destination-port 1024: \
      --jump ACCEPT

in my /etc/ppp/ip-up.d/1firewall script where $O and $I are the output
and input chains dedicated to the ppp device.

Now to get FTP going I added

  /sbin/iptables --append $O --match state        \
      --state ESTABLISHED,RELATED --jump ACCEPT
  /sbin/iptables --append $I --match state        \
      --state ESTABLISHED,RELATED --jump ACCEPT

I was thinking I could put these two rules near the top of my script,
remove the second HTTP rule and still have the same protection.  I
could also drop the counter part rules for all those other nice
protocols I would like to use (ssh, hkp, smtp, imap, ...).  It would
quite drastically simplify my script.  Question is, does it still give
me the same kind of protection?

OT: I noticed scans for an HTTP server and more (logging what I drop)
while I was connected via dial-up.  It's not safe out there!  But you
already knew that of course :-)

While I'm at it I might as well append my scripts for everyone to give
a once over.
- -- 
Olaf Meeuwissen
GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15  8BDF 60C2 5B3F 9111 4EAF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE92MBWYMJbP5ERTq8RAlSYAKCPd2AHg513RiAEqFr/0cZWbqukOwCgqc3b
vG4i5JsyZFoJ09420i3Ns7w=
=jrje
-----END PGP SIGNATURE-----

/etc/ppp/ip-up.d/1firewall
Description: application/shellscript

/etc/ppp/ip-down.d/1firewall
Description: application/shellscript

NetFilter connection tracking

Reply via email to