SCIENTIFIC-LINUX-USERS Archives

April 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: RHEL/SL and iptables
From:
Patrick Riehecky <[log in to unmask]>
Reply To:
Patrick Riehecky <[log in to unmask]>
Date:
Thu, 21 Apr 2011 11:52:54 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (75 lines) 
On 04/20/2011 02:47 PM, Nicolas Kovacs wrote:
> Le 20/04/2011 02:26, Tom H a écrit :
>> On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<[log in to unmask]>   wrote:
>>> There is a sourceforge project called firestarter which has a rather
>>> nice script that does lots of iptables config and provides a gui monitor
>>> of firewall activity.
>> You could also try APF:
>> http://www.rfxn.com/projects/advanced-policy-firewall/
>> (I've never used it so this isn't an experienced-based recommendation
>> but I've installed it on a test box to check out its rules and they
>> looked good.)
>>
>> Shorewall's also an option that you could consider. It's another blind
>> recommendation though; I've never even seen its default rules...
> Thanks very much for the numerous answers. I read through a pile of
> documentation, and figured out the most simple solution was a
> handcrafted iptables script from scratch. Here goes :
>
> --8<-------------------------------
> #!/bin/sh
> ##/root/bin/firewall-start
> IPT="/sbin/iptables"
> WAN_IFACE="eth0"
> LAN_IFACE="eth1"
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT -P INPUT DROP
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
> $IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
> $IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
> $IPT -A INPUT -j REJECT
> $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
> /sbin/service iptables save
> /sbin/service iptables condrestart
> --8<-------------------------------
>
> Works like a charm so far. Logging (near the end of the script) tells me
> whenever I'm locking myself out of something.
>
> Cheers from South France,
>
> Niki
Please add the following line BEFORE the RELATED,ESTABLISHED line

$IPT -A INPUT -m state --state INVALID -j DROP

This will drop any packet whose flags make no sense or whose size is not 
as advertised.

If you are not intending to do any routing, I'd remove the "$IPT -t nat 
-A POSTROUTING -o $WAN_IFACE -j MASQUERADE" line as well as "$IPT -P 
FORWARD ACCEPT" and instead insert some drops.

Adding to the list of firewall management, I'm strangely attached to 
UFW.... mostly because I can pre-load application rules into it and it 
makes limiting connection rates easier[1].  A current(ish) rpm is hiding 
out at 
http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinux&pkg=ufw.source

Pat

[1] http://www.snowman.net/projects/ipt_recent/   you can seriously slow 
brute force logins with this

ATOM RSS1 RSS2