Wanted: Critique of my configuration

Ronald F. Guilmette rfg@monkeys.com
Tue, 31 Jul 2001 10:44:52 -0700 

Greetings folks,

I'm new to iptables, and also new to this mailing list.  I've had some
modest past experience with setting up firewall rule sets on FreeBSD
(using ipfw) but of course, that stuff is all pretty different from
this iptables stuff.

Within the past few days I've been working to try to setup a fresh
Redhat 7.1 system as an Internet server that will provide the following
unremarkable set of services to the outside world:

	DNS
	SMTP
	FTP
	HTTP/WWW
	POP3
	IMAP4

I've already gen'd and installed a fresh 2.4.7 kernel with iptables
support enabled (and ipchains support DISabled) and after a great deal
of fiddling I finally managed to _guess_ how to generate the requsite
Redhat /etc/sysconfig/iptables file.  (This step was not at all obvious,
and didn't seem to be documented anywhere.  I basically cheated by
downloading and installing the `firestarter' package, and then running
it to create an initial set of rules... rules which fortunately enough
did seem to be transmitted to the kernel before firestarter crashed :-(
I then got lucky, and just by accident found out about the `iptables-save'
program, which dumped the rules currently in force.  That at least gave
me _something_ to start from, i.e. a text file full of iptables directives
which seemed highly likely to at least be syntatically valid... something
I was having a lot of trouble just guessing how to write on my own.)

Anyway, I looked at the /etc/sysconfig/iptables file that `iptables-save'
was kind enough to dump to disk for me after I had run firestarter (mostly
successfully) and even though I don't know my way around iptables yet,
that file sure as heck looked to me to be vastly too long and vastly too
complex for my simple setup, so I started manually whittling it down as
best as I could, given that I'm almost totally ignorant of iptables.

The final result is attached below.  So far, it seems to work well enough,
and the services that I want to work do in fact all seem to be working
properly on this box (and are accessible from outside) but I have a definite
uneasy feeling that my clumsy and ignorant hacking on this file has left
me with something that is probably less than optimal in several respects.
So I thought that I would ask if anybody here might like to critique this
for me and maybe make suggestions for improvements.  Maybe there are things
I should add, and maybe some things I should remove.  You tell me.

The box in question has two ethernet cards in it, eth0, and eth1.  The
first one (eth0) is the interface to the Internet and its ifconfig'd
address is represented below as x.x.x.x.  The eth1 card is the interface
to my (trusted) internal network, and has been assigned IP 192.168.1.14.
(I'm using 192.168.0.0/16 for the internal network.)

Three final notes... (1) I'm trying to be polite and to prevent any packets
with RFC 1819 reserved IP addresses (either source or destination) from
leaking out onto the Internet from my box.  (2) I have NAT configured into
the kernel, but I'm actually not planning on using it at all... the other
boxes on the local network have other ways of getting to the net. (3) I _am_
paranoid, but not overly so.  At this point I have no particular reason
to be too concerned about the possibility of being DoS'd or DDoS'd, but
if there are simple changes I can make to what is shown below that will
help to limit the damage when/if I get DoS'd or DDoS'd, then I _would_
like to add such changes.

And now, without further ado, here's my edited /etc/sysconfig/iptables file:
============================================================================
# Generated by iptables-save v1.2.1a on Fri Jul 27 23:47:34 2001
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LD - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 5 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -d x.x.x.x -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -d x.x.x.x -p udp -m udp --dport 33434:33437 -j ACCEPT 
-A INPUT -s 172.16.0.0/255.240.0.0 -j LD 
-A INPUT -s 192.168.0.0/255.255.0.0 -j LD 
-A INPUT -s 10.0.0.0/255.0.0.0 -j LD 
-A INPUT -s 127.0.0.0/255.0.0.0 -j LD 
-A INPUT -s x.x.x.x -j LD 
-A INPUT -d 0.0.0.0 -j LD 
-A INPUT -f -m limit --limit 10/min -j LD 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -d x.x.x.x -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -d x.x.x.x -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 22 --dport 513:65535 ! --tcp-flags SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 20 --dport 1023:65535 ! --tcp-flags SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT 
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -d x.x.x.x -p udp -m udp --dport 1023:65535 -j ACCEPT 
-A INPUT -j LD 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 
-A OUTPUT -s 192.168.0.0/255.255.0.0 -j DROP
-A OUTPUT -s 172.16.0.0/255.240.0.0 -j DROP
-A OUTPUT -s 10.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A LD -j LOG 
-A LD -j DROP 
COMMIT
# Completed on Fri Jul 27 23:47:34 2001