An acceptable rule set? - Luqman Munawar

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Luqman Munawar <xht2@isw.uni-stuttgart.de>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: An acceptable rule set?
Date: Tue, 30 Aug 2005 18:24:39 +0200	[thread overview]
Message-ID: <20050830162439.GA501@fisw31> (raw)

[-- Attachment #1: Type: text/plain, Size: 5951 bytes --]


I have read the "iptables tutorial2 by Oskar Andreasson and tried to
write a reasonable ruleset for my network scenario. Not really something
special but being behind a firewall of university, I hope it is
acceptable as an additional security measure.

Q1) Can you people be nice enough to give your ideas about how/where to
improve it.

Q2) I have introduced variables instead of actual ip-addresses, but
these variables are not being handled correctly.

I receive following error:

Bad argument `Y_IP="192.168..126.31'
Error occurred at line: 8
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.


The rule set is as following:

fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
# Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
*filter
:INPUT DROP [808:130818]
:FORWARD DROP [0:0]
:OUTPUT DROP [408:29492]


MY_IP="192.168..126.31"
MY_MAIL_SERVER="mail.isp.com"
MY_GMX_MAIL_SERVER="mail.gmx.net"
MY_DNS_SERVER="192.168.102.14"
MY_PROXY_SERVER="192.168.102.14"


#Allow test connections from loopback to loopback
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


#Accept connection to/from $MY_MAIL_SERVER
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport imap -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport imap -j
ACCEPT

#Accept connection to/from gmx.net
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport pop3 -j
ACCEPT
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
pop3 -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
smtp -j ACCEPT

#Allow connection to/from port 80(http),443(https),22(ssh)
-A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT


-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 443 -j ACCEPT

#check for apt-get connection behaviour to http servers and change
settings for iptables accordingly
#allow all traffic to/from DNS server ($MY_DNS_SERVER)
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

#connection to proxy-server ($MY_PROXY_SERVER) on port 8080
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p udp -m udp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p tcp -m tcp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p udp -m udp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p tcp -m tcp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT



# Allow ping operation
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

#Whois connections/connection-replies to/from outside are allowed
-A OUTPUT -s $MY_IP -d whois.crsnic.net -p tcp -m tcp --dport 43 -j
ACCEPT
-A INPUT -s whois.crsnic.net -d $MY_IP -p tcp -m tcp --sport 43 -m state
--state ESTABLISHED -j ACCEPT

#Throw away uncommon TCP packets
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Throw away unexpected packets and log valid ones
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp -mstate --state INVALID -m limit --limit 10/m -j LOG
--log-level info

#SYN-Flood-Protection
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
-A syn-flood -j DROP

#HTTP-CONNECT requests to be denied
#-A INPUT -p tcp -d 0/0 --dport 80 -m string --string "CONNECT" -j
REJECT

#Limit number of connections
-A INPUT -p tcp -m limit --limit 2 -j REJECT --reject-with tcp-reset

COMMIT
# Completed on Fri Jul 22 18:20:59 2005



-- 
Luqman Munawar


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

next             reply	other threads:[~2005-08-30 16:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-30 16:24 Luqman Munawar [this message]
2005-08-30 17:04 ` An acceptable rule set? /dev/rob0

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050830162439.GA501@fisw31 \
    --to=xht2@isw.uni-stuttgart.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.