Re: Better iptables firewall

Thu, 30 Aug 2007 03:41:22 -0700 

On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote:
> Currently I'm using iptables as my main firewall, and I'm having no
> trouble with it whatsoever. But lately (Since college has started) I've
> been connecting to a lot more networks, with more peers connected. I'm
> worried about somebody breaking through the security on my laptop and
> doing something malicious.
> 
> I'm hoping some seasoned Debian sysadmins out there can help me by
> advising me on how to better setup iptables...My current setup is:
> 
> 
> # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35639:3072343]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
> -A INPUT -p icmp -j DROP
> #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
> COMMIT
> # Completed on Mon Jun 18 09:55:18 2007
> 
> The commented rules are uncommented in my ruleset for home (I only have
> those ports forwarded on my home router, so opening them outside is a 
> potential security hazard)
> 
 
It looks like you're allowing unlimited output which means that if
something does break into your system then they can use your system to
spit stuff out without you knowing.  Overall, it seems like very few
rules.

Personally, I use shorewall to setup my netfilter rules.  If nothing
else, you probably should install the shorewall-doc package since it
covers the subject very well.  Here are my relavent shorewall configs
with the pramble-comments removed.  This box is my main box and also
acts as a firewall for the rest of the network.

Policy first:
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             net             REJECT          info
fw              net             REJECT          info
net             all             DROP             -
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

Then the rules:
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          
ORIGINAL        RATE            USER/
#                                               PORT(S) PORT(S)         DEST    
        LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS/ACCEPT      loc     fw
DNS/ACCEPT      loc     net
DNS/ACCEPT      fw      net
DNS/ACCEPT      fw      loc
SSH/ACCEPT      loc     fw
SSH/ACCEPT      fw      loc
NTP/ACCEPT      fw      net
NTP/ACCEPT      fw      loc
NTP/ACCEPT      loc     fw
POP3/ACCEPT     fw      net
POP3/ACCEPT     fw      loc
POP3/ACCEPT     loc     fw
POP3S/ACCEPT    fw      net
POP3S/ACCEPT    fw      loc
POP3S/ACCEPT    loc     fw
SMTP/ACCEPT     loc     fw
SMTP/ACCEPT     fw      net
SMTP/ACCEPT     fw      loc
SMTPS/ACCEPT    loc     fw
SMTPS/ACCEPT    fw      net
SMTPS/ACCEPT    loc     fw
Syslog/ACCEPT   fw      loc
Syslog/ACCEPT   loc     fw
FTP/ACCEPT      loc     net
FTP/ACCEPT      fw      net
FTP/ACCEPT      fw      loc
Ping/ACCEPT     loc     net
Ping/ACCEPT     fw      net
Ping/ACCEPT     loc     fw
Ping/ACCEPT     fw      loc
HTTP/ACCEPT     fw      net
HTTP/ACCEPT     loc     net
HTTP/ACCEPT     fw      loc
HTTPS/ACCEPT    fw      net
HTTPS/ACCEPT    loc     net
HTTPS/ACCEPT    fw      loc
Rsync/ACCEPT    loc     net
Rsync/ACCEPT    loc     fw
Rsync/ACCEPT    fw      net
Rsync/ACCEPT    fw      loc
Trcrt/ACCEPT    loc     net
Trcrt/ACCEPT    fw      net
Trcrt/ACCEPT    loc     fw
Trcrt/ACCEPT    fw      loc
ACCEPT          fw      loc     tcp     printer
ACCEPT          loc     fw      tcp     printer
# for GnuPG (OpenPGP) to retreive/send keys to key server
ACCEPT          fw      net     tcp     11371
ACCEPT          fw      net     udp     11371
ACCEPT          loc     net     tcp     11371
ACCEPT          loc     net     udp     11371
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to