An acceptable rule set?

Luqman Munawar xht2 at isw.uni-stuttgart.de
Tue Aug 30 18:24:39 CEST 2005


I have read the "iptables tutorial2 by Oskar Andreasson and tried to
write a reasonable ruleset for my network scenario. Not really something
special but being behind a firewall of university, I hope it is
acceptable as an additional security measure.

Q1) Can you people be nice enough to give your ideas about how/where to
improve it.

Q2) I have introduced variables instead of actual ip-addresses, but
these variables are not being handled correctly.

I receive following error:

Bad argument `Y_IP="192.168..126.31'
Error occurred at line: 8
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.


The rule set is as following:

fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
# Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
*filter
:INPUT DROP [808:130818]
:FORWARD DROP [0:0]
:OUTPUT DROP [408:29492]


MY_IP="192.168..126.31"
MY_MAIL_SERVER="mail.isp.com"
MY_GMX_MAIL_SERVER="mail.gmx.net"
MY_DNS_SERVER="192.168.102.14"
MY_PROXY_SERVER="192.168.102.14"


#Allow test connections from loopback to loopback
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


#Accept connection to/from $MY_MAIL_SERVER
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport imap -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport imap -j
ACCEPT

#Accept connection to/from gmx.net
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport pop3 -j
ACCEPT
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
pop3 -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
smtp -j ACCEPT

#Allow connection to/from port 80(http),443(https),22(ssh)
-A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT


-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 443 -j ACCEPT

#check for apt-get connection behaviour to http servers and change
settings for iptables accordingly
#allow all traffic to/from DNS server ($MY_DNS_SERVER)
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

#connection to proxy-server ($MY_PROXY_SERVER) on port 8080
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p udp -m udp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p tcp -m tcp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p udp -m udp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p tcp -m tcp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT



# Allow ping operation
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

#Whois connections/connection-replies to/from outside are allowed
-A OUTPUT -s $MY_IP -d whois.crsnic.net -p tcp -m tcp --dport 43 -j
ACCEPT
-A INPUT -s whois.crsnic.net -d $MY_IP -p tcp -m tcp --sport 43 -m state
--state ESTABLISHED -j ACCEPT

#Throw away uncommon TCP packets
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Throw away unexpected packets and log valid ones
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp -mstate --state INVALID -m limit --limit 10/m -j LOG
--log-level info

#SYN-Flood-Protection
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
-A syn-flood -j DROP

#HTTP-CONNECT requests to be denied
#-A INPUT -p tcp -d 0/0 --dport 80 -m string --string "CONNECT" -j
REJECT

#Limit number of connections
-A INPUT -p tcp -m limit --limit 2 -j REJECT --reject-with tcp-reset

COMMIT
# Completed on Fri Jul 22 18:20:59 2005



-- 
Luqman Munawar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20050830/bd58c368/attachment.bin


More information about the netfilter mailing list