[cumbria_lug] Build a better firewall...
Schwuk
cumbria at mailman.lug.org.uk
Mon Aug 11 15:58:00 2003
"Build a better firewall and the world will beat a path to your door. " -
with apologies to Ralph Waldo Emerson.
Ok, I'm going to break with the tradition of this mailing list and ask an
(almost) technical question. Who knows - maybe I'll even get responses...
I currently have Linux based ISDN router operating at home. It works
absolutely fine, but I wanted to see if anybody had any suggestions on how
to improve my (basic) set of firewall rules. Hopefully there will be two
benefits from this:
1) I'll get a 'better firewall', keeping me safe from the script kiddiez
2) The 'better firewall' can be published on the LUG site as a resource
for all, esp. newbies... I'm also planning to write up the construction of
my 'gateway' box for said purpose.
So, here goes (formatted for legibility)...
----
#Set the default policy for INPUT and FORWARD to DROP
#NOTE: Don't do this from a remote connection!
iptables -P INPUT DROP
iptables -P FORWARD DROP
#myfilter chain:
#this chain contains rules common to the FORWARD and INPUT chains
#Create the chain
iptables -N myfilter
#Accept all packets with a state of ESTABLISHED or RELATED
iptables -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept all packets that _don't_ come from the ISDN interface
iptables -A myfilter -m state --state NEW -i ! ippp0 -j ACCEPT
#Log all invalid packets
iptables -A myfilter -m state --state INVALID -j LOG --log-prefix
"INVALID:" --log-level warning
#Reject everything with tcp-reset
iptables -A myfilter -p tcp -j REJECT --reject-with tcp-reset
#Reject everything else with icmp port unreachable
iptables -A myfilter -j REJECT --reject-with icmp-port-unreachable
#INPUT chain:
#Everything goes through 'myfilter'
iptables -A INPUT -j myfilter
#FORWARD chain:
#Everything goes through 'myfilter'
iptables -A FORWARD -j myfilter
#POSTROUTING chain:
#Set up IP Masquerading for the ISDN Interface:
iptables -A POSTROUTING -o ippp0 -j MASQUERADE
----
That's it - simple, but effective. It allows all traffic from the inside
out, and related traffic back in. All other connections from the outside
fail. This works great for everything from browsing to IM to multi-player
games.
Comments welcome...
Cheers,
--
Schwuk