From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Cc: NICHOLAS KLINE <nkline@kent.edu>
Subject: Re: Firewall Rules Help
Date: Sat, 22 Aug 2009 13:42:31 +0200 [thread overview]
Message-ID: <4A8FD9A7.3090600@chello.at> (raw)
In-Reply-To: <4399fd970908210841j1213b83di98e4ea3d53d1082f@mail.gmail.com>
NICHOLAS KLINE wrote:
> Hi,
>
> Thanks to everyone who constructively critiqued my previous firewall
> rules and provided advice. After reading through all of the feedback,
> I revised my firewall rules. I would appreciate it if you would please
> critique them again.
>
> The situation remains the same:
> - laptop running desktop version of Ubuntu 8.x
> - laptop will be used on either a private LAN or public network
> - laptop will switch between wired and wireless network
> - no server services will be running (HTTPD, FTP, etc.)
>
> Remaining Questions:
> 1.) If I change from wired to wireless, will these rules still apply?
>
Of course they will apply, the question is whether they work as you want
;-).
But from my point of view they should fulfill your described goal, as
you do not use IP addresses, or interfaces (which could change) in your
ruleset.
>
> Revised Firewall Rules
> -----------------------------
>
> # Establish some variables:
>
> # Location of IPTABLES on your system
> IPTABLES="/sbin/iptables"
>
>
> # SETUP:
>
> # Flush active rules and custom tables
> $IPTABLES --flush
> $IPTABLES -t nat --flush
> $IPTABLES -t mangle --flush
>
> $IPTABLES --delete-chain
> $IPTABLES -t nat --delete-chain
> $IPTABLES -t mangle --delete-chain
>
> # Give free reign to the loopback interfaces, i.e. local processes may connect
> # to other processes' listening-ports.
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
This output rule is not needed, as the policy will allow.
> # Set default policies for all chains.
> # User-defined chains cannot be assigned default policies.
> # NAT and mangle tables use default ACCEPT policies.
> # DROP in nat table is prohibited in newer iptables.
> # DROP in mangle table creates hassle.
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
>
>
> # INBOUND POLICY:
>
> # Accept inbound packets that are part of previously-OK'ed sessions
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Log and drop anything not accepted above
> $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
>
>
> # OUTBOUND POLICY:
> # Allow all outbound traffic.
>
>
> # Log & drop ALL incoming packets destined anywhere but here.
> $IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped
> by default:"
>
> --- End of rules ---
>
Your logs will eventually grow fast, think of using the 'limit'
extension for logging.
Greets
Mart
prev parent reply other threads:[~2009-08-22 11:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-21 15:41 Firewall Rules Help NICHOLAS KLINE
2009-08-22 11:42 ` Mart Frauenlob [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A8FD9A7.3090600@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
--cc=nkline@kent.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.