SVN-20110816

Kevin Day thekevinday at gmail.com
Wed Aug 17 16:40:23 PDT 2011


On Tue, Aug 16, 2011 at 7:05 PM, Robert Connolly
<robert at linuxfromscratch.org> wrote:
> Iptables added, but lacking rules. I would appreciate ideas.
>
> robert

Below is a rough idea of some of my basic firewall rules (some of
which needs review).

### Basic Stuff
  ## loopback support
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

  ## drop loopback spoof attacks (must follow the above 2 rules) (is
this necessary and does it actually work?)
  iptables -s 127.0.0.1 -j DROP
  iptables -d 127.0.0.1 -j DROP

  ## free-reign to already established & related connections
  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  ## prevent an XMAS attack
  iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

  ## prevent NULL attack
  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

  ## force SYN packets check
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  ## drop invalid packets
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP



### if you want to block common ip-spoof attacks, then uncomment the
following if the networks are not in use.
  #iptables -A INPUT -s 0.0.0.0/8      -j DROP
  #iptables -A INPUT -s 1.0.0.0/8      -j DROP
  #iptables -A INPUT -s 2.0.0.0/8      -j DROP
  #iptables -A INPUT -s 5.0.0.0/8      -j DROP
  #iptables -A INPUT -s 7.0.0.0/8      -j DROP
  #iptables -A INPUT -s 10.0.0.0/8     -j DROP
  #iptables -A INPUT -s 23.0.0.0/8     -j DROP
  #iptables -A INPUT -s 27.0.0.0/8     -j DROP
  #iptables -A INPUT -s 31.0.0.0/8     -j DROP
  #iptables -A INPUT -s 36.0.0.0/8     -j DROP
  #iptables -A INPUT -s 39.0.0.0/8     -j DROP
  #iptables -A INPUT -s 41.0.0.0/8     -j DROP
  #iptables -A INPUT -s 42.0.0.0/8     -j DROP
  #iptables -A INPUT -s 58.0.0.0/8     -j DROP
  #iptables -A INPUT -s 59.0.0.0/8     -j DROP
  #iptables -A INPUT -s 60.0.0.0/8     -j DROP
  #iptables -A INPUT -s 127.0.0.0/8    -j DROP
  #iptables -A INPUT -s 169.254.0.0/16 -j DROP
  #iptables -A INPUT -s 172.16.0.0/12  -j DROP
  #iptables -A INPUT -s 192.168.0.0/16 -j DROP
  #iptables -A INPUT -s 197.0.0.0/8    -j DROP
  #iptables -A INPUT -s 224.0.0.0/8    -j DROP
  #iptables -A INPUT -s 240.0.0.0/8    -j DROP



### The following reviews handles acceptance by port group (comment or
uncomment as you see fit)
  ## allow Well-known port output: 0-1023
  #iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j ACCEPT
  #iptables -A INPUT -p udp --dport 0:1023 -m state --state NEW -j ACCEPT


  ## allow registered ports: 1024-49151
  #iptables -A INPUT -p tcp --dport 1024:49151 -m state --state NEW -j ACCEPT
  #iptables -A INPUT -p udp --dport 1024:49151 -m state --state NEW -j ACCEPT


  ## allow all other ports: 49152-61000
  ## For ease of the beginners, enable these by default
  iptables -A INPUT -p tcp --dport 49152:61000 -m state --state NEW -j ACCEPT
  iptables -A INPUT -p udp --dport 49152:61000 -m state --state NEW -j ACCEPT


  ## allow all other ports: 61001-65535
  ## For ease of the beginners, enable these by default
  iptables -A INPUT -p tcp --dport 61001:65535 -m state --state NEW -j ACCEPT
  iptables -A INPUT -p udp --dport 61001:65535 -m state --state NEW -j ACCEPT


  ## allow Well-known port output: 0-1023
  #iptables -A OUTPUT -p tcp --dport 0:1023 -m state --state NEW -j ACCEPT
  #iptables -A OUTPUT -p udp --dport 0:1023 -m state --state NEW -j ACCEPT


  ## allow registered ports: 1024-49151
  #iptables -A OUTPUT -p tcp --dport 1024:49151 -m state --state NEW -j ACCEPT
  #iptables -A OUTPUT -p udp --dport 1024:49151 -m state --state NEW -j ACCEPT


  ## allow all other ports: 49152-61000
  # For ease of the uneducated, enable these by default
  iptables -A OUTPUT -p tcp --dport 49152:61000 -m state --state NEW -j ACCEPT
  iptables -A OUTPUT -p udp --dport 49152:61000 -m state --state NEW -j ACCEPT


  ## allow all other ports: 61001-65535
  # For ease of the uneducated, enable these by default
  iptables -A OUTPUT -p tcp --dport 61001:65535 -m state --state NEW -j ACCEPT
  iptables -A OUTPUT -p udp --dport 61001:65535 -m state --state NEW -j ACCEPT



### Here is a small list of applications that I know about and believe
are common enough
  ## NTP (Network Time Protocol Traffic)
  #iptables -A OUTPUT -p udp --sport 123 --dport 123 -m state --state
NEW -j ACCEPT
  #iptables -A INPUT -p udp --sport 123 --dport 123 -m state --state
NEW -j ACCEPT

  ## DHCP Client Renewals (Is the OUTBOUND something like: --sport 68
--dport 67?)
  #iptables -A INPUT -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255
--dport 68 -m state --state NEW -j ACCEPT

  ## DHCP Server (why do I have two inputs??)
  #iptables -A OUTPUT -p udp -m state --state NEW --dport 67 --sport
68 -j ACCEPT
  #iptables -A INPUT -p udp -m state --state NEW --dport 67 --sport 68 -j ACCEPT
  #iptables -A INPUT -p udp -m state --state NEW --dport 68 --sport 67 -j ACCEPT

  ## Http/Web
  #iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

  ## Https/SecureWeb
  #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

  ## MySQL
  #iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

  ## Postgresql
  #iptables -A INPUT -p tcp --dport 5432 -m state --state NEW -j ACCEPT

  ## Cups Printer Administration
  #iptables -A INPUT -p tcp --dport 631 -m state --state NEW -j ACCEPT

  ## Ssh (OpenSSH)
  #iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

  ## Virtual Network Client Server (add 1 to port for each seperat vnc server)
  #iptables -A INPUT -p tcp --dport 5900 -m state --state NEW -j ACCEPT

  ## Xorg's Server Port
  #iptables -A INPUT -p tcp --dport 6000 -j ACCEPT

  ## Samba/Windows Shared Network Communication (Good luck with
figuring out the output)
  #iptables -A INPUT -p tcp --dport 136 -j ACCEPT
  #iptables -A INPUT -p udp --dport 137 -j ACCEPT
  #iptables -A INPUT -p udp --dport 138 -j ACCEPT
  #iptables -A INPUT -p tcp --dport 139 -j ACCEPT
  #iptables -A INPUT -p tcp --dport 445 -j ACCEPT
  #iptables -A INPUT -p tcp --sport 136 -j ACCEPT
  #iptables -A INPUT -p udp --sport 137 -j ACCEPT
  #iptables -A INPUT -p udp --sport 138 -j ACCEPT
  #iptables -A INPUT -p tcp --sport 139 -j ACCEPT
  #iptables -A INPUT -p tcp --sport 445 -j ACCEPT

  ## Ping/Pong (With inbound pings limited to 1 per second)
  #iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
  #iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

  ## iSCSI Target (I know I haven't really tested this one..)
  #iptables -A INPUT -p tcp --dport 3260 -m state --state NEW -j ACCEPT



### Suggestion for logging to dmesg or syslog
  ## log new packets
  #iptables -A INPUT -m state --state NEW -j LOG --log-prefix "FIREWALL:INPUT "
  #iptables -A INPUT -m state --state NEW -j LOG --log-prefix "FIREWALL:OUTPUT "


-- 
Kevin Day



More information about the hlfs-dev mailing list