* RE: please advise on this rule
@ 2003-08-12 18:51 Daniel Chemko
2003-08-14 6:47 ` Payal Rathod
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Chemko @ 2003-08-12 18:51 UTC (permalink / raw)
To: Payal Rathod, netfilter
Source field doesn't matter since traffic destined for the internal
(private) network will only pass through that chain if you define DNAT
rules for them.
The port 80 rule seems ok, but trusting something like that where a user
can change their IP's or use different port numbers, it is pretty light
security for anyone who knows what they are doing.
-----Original Message-----
From: Payal Rathod [mailto:payal-iptables@staticky.com]
Sent: Wednesday, August 13, 2003 11:25 AM
To: netfilter@lists.netfilter.org
Subject: please advise on this rule
Hi,
Does this FORWARD chain look ok in a simple NAT network where the Linux
box is connected to the net.
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
REJECT tcp -- 192.168.10.1 0.0.0.0/0 tcp dpt:80
reject-with icmp-port-unreachable
Is source 0/0 OK? Should be be 192.168.10.0/24 ?
Will the third rule block outgoing connection from 192.168.10.1 to any
server at port 80?
Thanks a lot and eagerly waiting for the reply.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: please advise on this rule
2003-08-12 18:51 please advise on this rule Daniel Chemko
@ 2003-08-14 6:47 ` Payal Rathod
0 siblings, 0 replies; 4+ messages in thread
From: Payal Rathod @ 2003-08-14 6:47 UTC (permalink / raw)
To: Daniel Chemko; +Cc: netfilter
On Tue, Aug 12, 2003 at 11:51:42AM -0700, Daniel Chemko wrote:
> Source field doesn't matter since traffic destined for the internal
> (private) network will only pass through that chain if you define DNAT
> rules for them.
oh! ok.
> The port 80 rule seems ok, but trusting something like that where a user
> can change their IP's or use different port numbers, it is pretty light
> security for anyone who knows what they are doing.
Yes agreed. But I am counting on the users not knowing how to change the
ips :)
(Yes this is possible in my company).
Thanks and bye.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* please advise on this rule
@ 2003-08-13 18:24 Payal Rathod
2003-08-13 7:26 ` Ralf Spenneberg
0 siblings, 1 reply; 4+ messages in thread
From: Payal Rathod @ 2003-08-13 18:24 UTC (permalink / raw)
To: netfilter
Hi,
Does this FORWARD chain look ok in a simple NAT network where the Linux
box is connected to the net.
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
REJECT tcp -- 192.168.10.1 0.0.0.0/0 tcp dpt:80
reject-with icmp-port-unreachable
Is source 0/0 OK? Should be be 192.168.10.0/24 ?
Will the third rule block outgoing connection from 192.168.10.1 to any
server at port 80?
Thanks a lot and eagerly waiting for the reply.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: please advise on this rule
2003-08-13 18:24 Payal Rathod
@ 2003-08-13 7:26 ` Ralf Spenneberg
0 siblings, 0 replies; 4+ messages in thread
From: Ralf Spenneberg @ 2003-08-13 7:26 UTC (permalink / raw)
To: Payal Rathod; +Cc: Netfilter
Am Mit, 2003-08-13 um 20.24 schrieb Payal Rathod:
> Does this FORWARD chain look ok in a simple NAT network where the Linux
> box is connected to the net.
What's "ok" in your opinion?
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> REJECT tcp -- 192.168.10.1 0.0.0.0/0 tcp dpt:80
> reject-with icmp-port-unreachable
>
Well, it looks fine. 3 rules loaded although I am missing a little bit
of detail here. Do an iptables -vnL FORWARD.
>
> Is source 0/0 OK? Should be be 192.168.10.0/24 ?
Source 0/0 is ok. If you want to prevent IP-Spoofing you can use
192.168.10.0/24
> Will the third rule block outgoing connection from 192.168.10.1 to any
> server at port 80?
Yes the third rule will block this traffic, but ...
Since some detail is missing I cannot determine what the first rule
does. Is this just loopback traffic (lo)?. If the first rule does not
specify an interface it will allow all traffic.
If it does specify the lo interface you are still missing a rule
allowing NEW connections, like
iptables -A FORWARD -s 192.168.10.0/24 -m state --state NEW -j ACCEPT
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-08-14 6:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-12 18:51 please advise on this rule Daniel Chemko
2003-08-14 6:47 ` Payal Rathod
-- strict thread matches above, loose matches on Subject: below --
2003-08-13 18:24 Payal Rathod
2003-08-13 7:26 ` Ralf Spenneberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox