[Nelug] Re: [general] iptables doing unwanted logging

[James Barton]

> Ok so you found the problem but note that whilst the echo may say about
> Denying UDP the LOG rule does nothing to log only UDP. ssh is done over
> tcp.

Fair point. I'm still not readin what I've written...

> why do you set the default of FORWARD to ACCEPT by default? That sounds
> like it opens up the possibility of allowing all sorts through if you
> get a rule wrong.

You're right. It was basically the end of my patience. I'd removed or
secured every application I could find on my internal network, then spent
time finding out what worked and what didn't in configuring INPUT and
OUTPUT (with whatever results...), and I simply couldn't be bothered to
fiddle with the FORWARD rules. I was having more trouble with them than
with anything else, I was unaware of any danger from external sources, and
I implicitly trust all the internal machines. But yes, it could be a lot
more secure.

> Using -d $ANYWHERE and -s $ANYWHERE aren't necessary because iptables
> defaults to these if you don't provide them. Having them there just
> makes the rule harder to read. i.e. allow loopback  could be specified
> as
>
> $IPTABLES -A INPUT -i lo -j ACCEPT

Okay.

> Not sure on the answer to this but on the
> #echo -e "Dropping other traffic to ports < 1024, monitor worm"
> rules you explictly state -i and -d. Doesn't that create a potential
> loophole because something targetted to a different -d which ends up on
> your input chain could cause trouble. i.e. your config doesn't
> explicitly say whether you've configured your IP stack to accept input
> on a different interface i.e. if I create an IP packet to your internal
> address but send it via the external address (I know that you've caught
> that earlier) then this rule wouldn't apply. Surely it is better to be
> more general and deny more unless you have a specific reason for not
> doing so.

Although I never have, it occurred to me when I was writing, that I might
want to use some services on privileged ports from internal machines, such
as telnet or finger. Since I never do, I should probably rewrite that as
you suggest.

> You have a rule
>
> # allow all else
> $IPTABLES -A INPUT -i $EXTERNAL_IF_1 -s $ANYWHERE -d $EXTERNAL_IP_1 -j
> ACCEPT
>
> which *totally* makes the next established connections rule totally
> pointless. I'm not sure that this is what you meant.

Absolutely right. No idea why that next line is there.

> Forward chain - you explicitly state both external and internal
> interfaces on the forward rules. If anyone manages to spoof routes this
> would end up being explicitly allowed by the global  FORWARD accept
> rule. I think that you would be better off with something like
>
> $IPTABLES -A FORWARD -i $EXTERNAL_IF_1 -o $INTERNAL_IF_1 -d
> $INTERNAL_NET_1 -m state --state ESTABLISHED,RELATED -j ACCEPT

That makes sense. I will give it a try.

> Side note that the next rule undoes all of the work that you have done
> in the rule above 'cos it allows everything else through!

Does it?
I thought that:
$IPTABLES -A FORWARD -i $INTERNAL_IF_1 -o $EXTERNAL_IF_1 -j ACCEPT

would allow connection to the rest of the Internet from any machine
connecting over eth1. Am I mistaken?

> Finally being totally paranoid I would probably configure the adbust and
> worry chains prior to putting them onto a chain to stop race conditions
> of people trying to circumvent them whilst the rest of the rules are
> being processed.

Never occurred to me, but it costs nothing to just change the processing
order, so I'll do that too.

> Hope this helps.

It's food for thought. Should teach me to try cut 'n' paste straight out
of the HOWTO...
thanks for the pointers,
James