I am thinking of using IP chains to tighten security a little on my Debian 2.1 box. Currently, I have it set up as follows:
ipchains -P forward DENY ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ Below is a much more involved setup I created based on the information in the HOW-TO. The goal is to cut off access to any ports that I never use, and limit access to some of the ports I do use. Could you please take a look at it and let me know what you think? I have the following specific questions: 1. Have I made any mistakes that could cause really annoying problems? (perhaps unintentionally blocking something that shouldn't be blocked) 2. Is it safe to allow all input from localhost and output to localhost as I have done? 3. Are the lines that allow ICMP the right thing to do so ping will work? (also, the HOW-TO warned about not blocking ICMP type 3). 4. Are the SMTP and POP3 ports as secure as possible while still allowing fetchmail and sendmail to work? 5. Will my lines to block all communication with ads3.inet1.com work? (If I had a fast Internet connection, I wouldn't mind banner ads) 6. Any other comments or suggestions? --- begin list of ipchains commands --- ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # allow anything local ipchains -A input -s 127.0.0.1 -j ACCEPT ipchains -A output -d 127.0.0.1 -j ACCEPT # allow ICMP ipchains -A input -p icmp -j ACCEPT ipchains -A output -p icmp -j ACCEPT # allow FTP, telnet, DNS, WWW and IRC in both directions ipchains -A input -p 20 -j ACCEPT ipchains -A input -p 21 -j ACCEPT ipchains -A input -p 23 -j ACCEPT ipchains -A input -p 53 -j ACCEPT ipchains -A input -p 80 -j ACCEPT ipchains -A input -p 194 -j ACCEPT ipchains -A output -p 20 -j ACCEPT ipchains -A output -p 21 -j ACCEPT ipchains -A output -p 23 -j ACCEPT ipchains -A output -p 53 -j ACCEPT ipchains -A output -p 80 -j ACCEPT ipchains -A output -p 194 -j ACCEPT # allow me to use fetchmail ipchains -A output -p 110 -j ACCEPT # allow outgoing SMTP ipchains -A output -p 25 -j ACCEPT # allow netbios stuff on eth0 ipchains -A input -i eth0 -p 137 -j ACCEPT ipchains -A input -i eth0 -p 138 -j ACCEPT ipchains -A input -i eth0 -p 139 -j ACCEPT ipchains -A output -i eth0 -p 137 -j ACCEPT ipchains -A output -i eth0 -p 138 -j ACCEPT ipchains -A output -i eth0 -p 139 -j ACCEPT # allow communication with my ISP's proxy ipchains -A input -p 3128 -j ACCEPT ipchains -A output -p 3128 -j ACCEPT # kill some of those annoying banner advertisements ipchains -A input -s ads3.inet1.com -j DENY ipchains -A output -s ads3.inet1.com -j DENY # anything that makes it through the input and output filters can be # masqueraded for certain local systems ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ --- end list of ipchains commands --- I would really appreciate some feedback on this so that I will know if I am getting it right or making mistakes. Thanks in advance, Patrick Olson
