An acceptable rule set?
rob0 at gmx.co.uk
Tue Aug 30 19:04:31 CEST 2005
On Tuesday 2005-August-30 11:24, Luqman Munawar wrote:
> I have read the "iptables tutorial2 by Oskar Andreasson and tried to
> write a reasonable ruleset for my network scenario. Not really
> something special but being behind a firewall of university, I hope
> it is acceptable as an additional security measure.
In general I would not expect very much protection from something under
the control of university IT departments. OTOH you're apparently on a
NAT'ed RFC 1918 IP, so your only real security concern are attackers
from within the university. That could be a major concern.
> Q1) Can you people be nice enough to give your ideas about how/where
> to improve it.
Packet Filtering HOWTO: INPUT: accept all --state RELATED,ESTABLISHED
traffic, accept services you want open, default policy DROP. OUTPUT
default policy ACCEPT. FORWARD policy DROP, and no rules unless you're
acting as a router. Why complicate things?
> Q2) I have introduced variables instead of actual ip-addresses, but
> these variables are not being handled correctly.
> I receive following error:
> Bad argument `Y_IP="192.168..126.31'
Did you read that error? What do you think about it?
> Error occurred at line: 8
> Try `iptables-restore -h' or 'iptables-restore --help' for more
> The rule set is as following:
> fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
> # Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
> :INPUT DROP [808:130818]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [408:29492]
For one thing, that is not a proper representation of an IP address. I
see what appears to be an extra "." in the middle. For another thing,
iptables-restore(8) is not sh(1), and it cannot read shell variable
You could do what you're trying to do with a bash "here document" to
generate your rules and pipe them to the stdin of iptables-restore(8).
Your main area of confusion is in thinking that your iptables rules
file was a shell script.
> #Allow connection to/from port 80(http),443(https),22(ssh)
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT
Other than aforementioned syntax problems, okay ...
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT
... but these rules do not allow replies back out. Think about the
difference between --dport and --sport! (Yes, there are --sport rules
I've lectured about OUTPUT filtering here before. My bottom line on
that: anyone who needs to ask questions here probably should not be
doing OUTPUT filtering.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter