Re: Is this firewall good enough? - Aleksandar Milivojevic

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: Netfilter User Mailinglist <netfilter@lists.netfilter.org>
Subject: Re: Is this firewall good enough?
Date: Wed, 09 Jun 2004 10:12:03 -0500	[thread overview]
Message-ID: <40C728C3.8080406@pbl.ca> (raw)
In-Reply-To: <20040609081453.75751.qmail@web14704.mail.yahoo.com>

Sagara Wijetunga wrote:
> I noted --syn can only be used with protocol tcp. How
> do I write a similar rule to accept connections to udp
> port 53?

UDP is stateless protocol.  So you have to choices.

Not using connection tracking:

    -A INPUT -p udp --dport 53 -j ACCEPT
    -A OUTPUT -p udp --sport 53 -j ACCEPT

Using connection tracking:

    -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Both would allow for inbound DNS.  You'll probably want to allow
outbound also.

Somehow I don't think you'll have that much traffic that you will need
to worry about overhead of connection tracking (not even for DNS, as
discussed earlier in this thread).  So I would recommend using it in
your case.  For example, at home I'm using old 200MHz Pentium MMX as
firewall, and it is perfectly capable to handle two interfaces (~3Mbps
(effectivly) cable, and 100Mbps LAN) with connection tracking.

The connection tracking line mentioned above assumes you have a line to
handle outbound packets (responses) equivalent to:

    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

While we are at it, I would replace the line you have:

    -P OUTPUT ACCEPT

With:

    -P OUTPUT DROP
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

(you might want to put this lines at top)

This would limit outbound packets to responses to already established
connections.  This addresses the issue some people pointed out to you
already (that you configured the box as both client and server).  If you
want something to originate from your server, add it explicitly.  You
would probably need to allow DNS server to make outbound connections.
Another example would be to allow you to ping from your server:

    -A OUTPUT -p icmp --icmp-type ping --state NEW -j ACCEPT

For FTP, you need only to allow NEW connections to port 21.  Data
connections will be RELATED, so you don't need separate line for them.
This is if you are using connection tracking.  For this to work, you'll
probably need to load ip_conntrack_ftp module manualy ("modprobe
ip_contrack_ftp" should do it).

So in short, I would organize things somethine like this:

    # Have this at top
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    # Unomment FORWARD line and add rules to FORWARD chain if
    # this box is router.  99% of packets will match these three
    # rules, so it makes sense to have them first.
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Put inbound things you need here, these depend on OUTPUT line
    # from first section.  For example:
    -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
    -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
       ...  add other services you have ...
    # Put outbound things you need here, these depend on INPUT line
    # from first section:
    -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p icmp --icmp-type ping --state NEW -j ACCEPT
       ...  add more as needed ...

If some of the services should be accessble only from LAN, than make
more restrictive rule.  For example, replacing POP3 line with:

    -A INPUT -p tcp -s 192.168.0.0/16 --dport 110 -m state --state NEW
-j ACCEPT

If your box has two separate interfaces (LAN and WAN), you can use even
more specific rule (assuming eth1 is LAN interface):

    -A INPUT -i eth1 -p tcp -s 192.168.0.0/16 --dport 110 -m state
--state NEW -j ACCEPT

These rules could be refined in many ways to make things more strict
(and secure).  But with so many services running on a single box, it is
questinable if you would gain anything.

> I don't see a good explanation of tcp-flags either on
> iptables man pages or Packet Filtering HOWTO. What are
> meaning of SYN,ACK,FIN,RST,URG,PSH? What combinations
> can be logged/dropped?

TCP flags are explained in many fine books.  I guess searching a web
(for example using Google) would result in many pages with good
explanations of those.  No point in explaining them again and again in
every single piece of networking software ;-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

next prev parent reply	other threads:[~2004-06-09 15:12 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-08  9:14 Is this firewall good enough? Sagara Wijetunga
2004-06-08  9:42 ` Feizhou
2004-06-08  9:57   ` Antony Stone
2004-06-08 15:03     ` Feizhou
2004-06-08 15:23       ` Antony Stone
2004-06-08 20:11         ` Feizhou
2004-06-09  9:48           ` Antony Stone
2004-06-09 10:03             ` Feizhou
2004-06-08 16:17       ` David Cannings
2004-06-08 20:14         ` Feizhou
2004-06-09  9:28           ` Jozsef Kadlecsik
2004-06-09  9:57             ` Feizhou
2004-06-09 11:05               ` Jozsef Kadlecsik
2004-06-09 13:18                 ` Feizhou
2004-06-09 13:23                 ` Feizhou
2004-06-09  8:36       ` Sagara Wijetunga
2004-06-08  9:44 ` Rob Sterenborg
2004-06-09  8:14   ` Sagara Wijetunga
2004-06-09  9:56     ` Rob Sterenborg
2004-06-09 15:12     ` Aleksandar Milivojevic [this message]
2004-06-09 15:15       ` Aleksandar Milivojevic
2004-06-11 14:24         ` Sagara Wijetunga
2004-06-08  9:55 ` Antony Stone
2004-06-08 12:38 ` Chris Brenton
2004-06-09  7:32   ` Sagara Wijetunga
2004-06-09 13:47     ` Chris Brenton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40C728C3.8080406@pbl.ca \
    --to=amilivojevic@pbl.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.