Subject: | |
From: | |
Reply To: | |
Date: | Thu, 21 Apr 2011 11:52:54 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 04/20/2011 02:47 PM, Nicolas Kovacs wrote:
> Le 20/04/2011 02:26, Tom H a écrit :
>> On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<[log in to unmask]> wrote:
>>> There is a sourceforge project called firestarter which has a rather
>>> nice script that does lots of iptables config and provides a gui monitor
>>> of firewall activity.
>> You could also try APF:
>> http://www.rfxn.com/projects/advanced-policy-firewall/
>> (I've never used it so this isn't an experienced-based recommendation
>> but I've installed it on a test box to check out its rules and they
>> looked good.)
>>
>> Shorewall's also an option that you could consider. It's another blind
>> recommendation though; I've never even seen its default rules...
> Thanks very much for the numerous answers. I read through a pile of
> documentation, and figured out the most simple solution was a
> handcrafted iptables script from scratch. Here goes :
>
> --8<-------------------------------
> #!/bin/sh
> ##/root/bin/firewall-start
> IPT="/sbin/iptables"
> WAN_IFACE="eth0"
> LAN_IFACE="eth1"
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT -P INPUT DROP
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
> $IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
> $IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
> $IPT -A INPUT -j REJECT
> $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
> /sbin/service iptables save
> /sbin/service iptables condrestart
> --8<-------------------------------
>
> Works like a charm so far. Logging (near the end of the script) tells me
> whenever I'm locking myself out of something.
>
> Cheers from South France,
>
> Niki
Please add the following line BEFORE the RELATED,ESTABLISHED line
$IPT -A INPUT -m state --state INVALID -j DROP
This will drop any packet whose flags make no sense or whose size is not
as advertised.
If you are not intending to do any routing, I'd remove the "$IPT -t nat
-A POSTROUTING -o $WAN_IFACE -j MASQUERADE" line as well as "$IPT -P
FORWARD ACCEPT" and instead insert some drops.
Adding to the list of firewall management, I'm strangely attached to
UFW.... mostly because I can pre-load application rules into it and it
makes limiting connection rates easier[1]. A current(ish) rpm is hiding
out at
http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinux&pkg=ufw.source
Pat
[1] http://www.snowman.net/projects/ipt_recent/ you can seriously slow
brute force logins with this
|
|
|