[Gllug] Firewall Setup Script
David Pashley
david at davidpashley.com
Mon Sep 29 22:01:02 UTC 2003
On Sep 29, 2003 at 22:48, Mick Farmer praised the llamas by saying:
> Dear George,
>
> I'm quite happy to share my attempts with you, as others
> might comment on the falacies therein... I've got a Red Hat
> Linux box which hosts the web pages for the courses that I'm
> teaching on, plus a few other interests. I hope the
> comments are self explanatory. Additional comments in the
> script are turned on/off as required for classes.
>
> 8<--------8<--------8<--------8<
> # Original is now iptables-8.0 (mick, 20 Jan 2003)
> # 0.0.0 Basic firewall - no forwarding, so I trust my
> # output datagrams and place restrictions on incoming
> # datagrams (mick, 15 Oct 2002)
> # 0.0.1 Allow telnet from 193.61.28.0/24, i.e. bbk (mick, 9 Dec 2002)
> # 0.0.2 Allow ssh from 62.0.0.0/8, i.e. freeserve (mick, 21 Dec 2002)
> # 0.0.3 Allow http from all (mick, 13 Mar 2003)
> # 0.0.4 Allow ssh from 212.159.43.118, i.e. plan7 (mick, 7 April 2003)
> #
> # Default policies
> #
> *filter
> :INPUT DROP [0,0]
> :FORWARD DROP [0,0]
> :OUTPUT ACCEPT [0,0]
>
> # Trust the loopback interface
> #
> -A INPUT -i lo -j ACCEPT
>
> # Incoming established responses (such as ICMP, NFS, RPC, TCP)
> #
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Incoming HTTP connections
> #
> -A INPUT -m tcp -p tcp --dport http --syn -j ACCEPT
>
> # Incoming SSH connections from Freeserve and plan7.plus.com
> #
> #-A INPUT -s 62.0.0.0/8 -m tcp -p tcp --dport ssh --syn -j ACCEPT
> -A INPUT -s 212.159.43.118 -m tcp -p tcp --dport ssh --syn -j ACCEPT
>
> # Incoming telnet connections only from dcs
> #
> #-A INPUT -s 193.61.28.0/24 -m tcp -p tcp --dport telnet --syn -j ACCEPT
> -A INPUT -s 193.61.29.0/24 -m tcp -p tcp --dport telnet --syn -j ACCEPT
You appear to be running telnetd.
> # Log what we drop
> #
> -A INPUT -m icmp -p icmp -j LOG
> -A INPUT -m tcp -p tcp -j LOG
> -A INPUT -m udp -p udp -j LOG
What about other protocols? What is wrong with
-A INPUT -j LOG
>
> COMMIT
> 8<--------8<--------8<--------8<
>
> Any comments you, or others, might have will be gratefully
> received. Be aware that the logs might grow extremely
> large!
>
> Regards,
>
Wy use --syn everywhere. Given the fact that you accept established or
related packets at the top, everything else is going to be new
connections.
You may want to REJECT packets to the auth/identd port to prevent
exessive timeouts. You can set up better logging but I don;t have a copy
of hte rules with me atm.
--
David Pashley
david at davidpashley.com
Nihil curo de ista tua stulta superstitione.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030929/e9e12544/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list