An acceptable rule set?

/dev/rob0 rob0 at
Tue Aug 30 19:04:31 CEST 2005

On Tuesday 2005-August-30 11:24, Luqman Munawar wrote:
> I have read the "iptables tutorial2 by Oskar Andreasson and tried to
> write a reasonable ruleset for my network scenario. Not really
> something special but being behind a firewall of university, I hope
> it is acceptable as an additional security measure.

In general I would not expect very much protection from something under 
the control of university IT departments. OTOH you're apparently on a 
NAT'ed RFC 1918 IP, so your only real security concern are attackers 
from within the university. That could be a major concern.

> Q1) Can you people be nice enough to give your ideas about how/where
> to improve it.

Packet Filtering HOWTO: INPUT: accept all --state RELATED,ESTABLISHED 
traffic, accept services you want open, default policy DROP. OUTPUT 
default policy ACCEPT. FORWARD policy DROP, and no rules unless you're 
acting as a router. Why complicate things?

> Q2) I have introduced variables instead of actual ip-addresses, but
> these variables are not being handled correctly.
> I receive following error:
> Bad argument `Y_IP="192.168..126.31'

Did you read that error? What do you think about it?

> Error occurred at line: 8
> Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
> The rule set is as following:
> fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
> # Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
> *filter
> :INPUT DROP [808:130818]
> :OUTPUT DROP [408:29492]
> MY_IP="192.168..126.31"

For one thing, that is not a proper representation of an IP address. I 
see what appears to be an extra "." in the middle. For another thing, 
iptables-restore(8) is not sh(1), and it cannot read shell variable 

You could do what you're trying to do with a bash "here document" to 
generate your rules and pipe them to the stdin of iptables-restore(8). 
Your main area of confusion is in thinking that your iptables rules 
file was a shell script.

> #Allow connection to/from port 80(http),443(https),22(ssh)
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

Other than aforementioned syntax problems, okay ...

> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

... but these rules do not allow replies back out. Think about the 
difference between --dport and --sport! (Yes, there are --sport rules 
further down.)

I've lectured about OUTPUT filtering here before. My bottom line on 
that: anyone who needs to ask questions here probably should not be 
doing OUTPUT filtering.
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the netfilter mailing list