* Configuration question for my first iptables setup
@ 2007-07-02 19:12 Reid
2007-07-04 11:04 ` Gáspár Lajos
0 siblings, 1 reply; 2+ messages in thread
From: Reid @ 2007-07-02 19:12 UTC (permalink / raw)
To: netfilter
I am brand new to iptables, and I want to setup a basic firewall for a dedicated web server. I'm
accessing the server remotely, and already locked myself out once.
I've come up with the configuration below, but feel like I don't know what I'm doing. Does the
following look reasonable? Am I overlooking anything major? Thank you for input.
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
DROP tcp -- anywhere anywhere tcp dpts:2049:2050
DROP tcp -- anywhere anywhere tcp dpts:x11:6063
DROP tcp -- anywhere anywhere tcp dpts:afs3-fileserver:7010
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
>
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Configuration question for my first iptables setup
2007-07-02 19:12 Configuration question for my first iptables setup Reid
@ 2007-07-04 11:04 ` Gáspár Lajos
0 siblings, 0 replies; 2+ messages in thread
From: Gáspár Lajos @ 2007-07-04 11:04 UTC (permalink / raw)
To: Reid; +Cc: netfilter
Reid írta:
> I am brand new to iptables, and I want to setup a basic firewall for a dedicated web server. I'm
> accessing the server remotely, and already locked myself out once.
>
> I've come up with the configuration below, but feel like I don't know what I'm doing. Does the
> following look reasonable? Am I overlooking anything major? Thank you for input.
>
>
Nope.. This is NOT reasonable...
You have set the first rule in your INPUT chain to ACCEPT everything
from anywhere... :D
The following rules will never get hit !!!
Try the "iptables -vnL" command to see it !!!
The last rule is also "useless" because your DEFAULT POLICY is DROP.
In the other hand without those two rules it seems ok... (Depending on
what you want to achieve...) :D
Just to guide you:
1. I would enable the lo interface to ACCEPT everything...
2. Accept anything that ESTABLISHED or RELATED
3. I would group up the rules depending on the protocol...
Swifty
>
>> iptables -L
>>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
> ACCEPT all -- anywhere anywhere state ESTABLISHED
> ACCEPT all -- anywhere anywhere state RELATED
> ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
> ACCEPT icmp -- anywhere anywhere icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp source-quench
> ACCEPT icmp -- anywhere anywhere icmp time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp parameter-problem
> ACCEPT tcp -- anywhere anywhere tcp dpt:www
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp dpt:auth
> ACCEPT icmp -- anywhere anywhere icmp echo-request
> ACCEPT tcp -- anywhere anywhere tcp dpt:10000
> DROP tcp -- anywhere anywhere tcp dpts:2049:2050
> DROP tcp -- anywhere anywhere tcp dpts:x11:6063
> DROP tcp -- anywhere anywhere tcp dpts:afs3-fileserver:7010
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
>
> ____________________________________________________________________________________
> Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
>
>
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-07-04 11:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-02 19:12 Configuration question for my first iptables setup Reid
2007-07-04 11:04 ` Gáspár Lajos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox