[Gllug] iptables (newbie) question
Murray
gllug at minty.org
Sun May 2 12:56:21 UTC 2004
I've been using an online wizard [1] to help me learn more about
iptables, alongside the Packet Filtering HowTo [2].
Aim is for a server on a public ip, for (public) webservering and email
(MX). It's a remote box, so ssh access, but limited to connections from
known ip addresses. Stand-alone box, no "internal" network other than
itself, shouldn't be forwarding packets, 2.4.22 kernel. Debian 3
Given a (snip'd) setup along the lines of
iptables -F INPUT; iptables -P INPUT ACCEPT; iptables -Z INPUT
iptables -F FORWARD; iptables -P FORWARD DROP; iptables -Z FORWARD
iptables -F OUTPUT; iptables -P OUTPUT ACCEPT; iptables -Z OUTPUT
iptables -N CUSTOM-INPUT;
iptables -N REJECT-PKT;
iptables -A INPUT -j CUSTOM-INPUT
# Various rules to drop naughty packets (tcp, udp, the lot)
iptables -A CUSTOM-INPUT -s 127.0.0.0/8 -j DROP
# ...more here... spoofing local ip, syn / ping attacks etc
# Allow web serving on port 80, and ssh from known ip's
iptables -A CUSTOM-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A CUSTOM-INPUT -p tcp -m tcp -s 12.34.56.78 \
--dport 22 -j ACCEPT
# Block all other TCP/IP and UDP traffic
iptables -A CUSTOM-INPUT -j REJECT-PKT
# Reject all TCP/IP, UDP and ICMP/PING packets
iptables -A REJECT-PKT -p udp -m udp --sport 137:138 \
--dport 137:138 -j DROP
iptables -A REJECT-PKT -p tcp -m tcp -j LOG
iptables -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables -A REJECT-PKT -p udp -m udp -j LOG
iptables -A REJECT-PKT -p udp -m udp -j REJECT \
--reject-with icmp-port-unreachable
iptables -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j LOG
iptables -A REJECT-PKT -p icmp -m icmp --icmp-type ping \
-j REJECT --reject-with icmp-host-unreachable
*** Question ***
Why not remove everything after (and including)
# Block all other TCP/IP and UDP traffic
iptables -A CUSTOM-INPUT -j REJECT-PKT
And just replace it with
iptables -A CUSTOM-INPUT -j LOG
iptables -P INPUT DROP
The only material difference I can see is that the initial setup uses
REJECT in some cases to send a "not here" response, where as the shorter
second option just pretends it's not there at all. This seems to me a
better option. Am I missing something?
[1] http://www.lowth.com/LinWiz/1.09/
[2] http://www.netfilter.org/documentation/
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list