From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Cc: NICHOLAS KLINE <nkline@kent.edu>
Subject: Re: Firewall Rules Help
Date: Sat, 22 Aug 2009 13:42:31 +0200 [thread overview]
Message-ID: <4A8FD9A7.3090600@chello.at> (raw)
In-Reply-To: <4399fd970908210841j1213b83di98e4ea3d53d1082f@mail.gmail.com>
NICHOLAS KLINE wrote:
> Hi,
>
> Thanks to everyone who constructively critiqued my previous firewall
> rules and provided advice. After reading through all of the feedback,
> I revised my firewall rules. I would appreciate it if you would please
> critique them again.
>
> The situation remains the same:
> - laptop running desktop version of Ubuntu 8.x
> - laptop will be used on either a private LAN or public network
> - laptop will switch between wired and wireless network
> - no server services will be running (HTTPD, FTP, etc.)
>
> Remaining Questions:
> 1.) If I change from wired to wireless, will these rules still apply?
>
Of course they will apply, the question is whether they work as you want
;-).
But from my point of view they should fulfill your described goal, as
you do not use IP addresses, or interfaces (which could change) in your
ruleset.
>
> Revised Firewall Rules
> -----------------------------
>
> # Establish some variables:
>
> # Location of IPTABLES on your system
> IPTABLES="/sbin/iptables"
>
>
> # SETUP:
>
> # Flush active rules and custom tables
> $IPTABLES --flush
> $IPTABLES -t nat --flush
> $IPTABLES -t mangle --flush
>
> $IPTABLES --delete-chain
> $IPTABLES -t nat --delete-chain
> $IPTABLES -t mangle --delete-chain
>
> # Give free reign to the loopback interfaces, i.e. local processes may connect
> # to other processes' listening-ports.
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
This output rule is not needed, as the policy will allow.
> # Set default policies for all chains.
> # User-defined chains cannot be assigned default policies.
> # NAT and mangle tables use default ACCEPT policies.
> # DROP in nat table is prohibited in newer iptables.
> # DROP in mangle table creates hassle.
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
>
>
> # INBOUND POLICY:
>
> # Accept inbound packets that are part of previously-OK'ed sessions
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Log and drop anything not accepted above
> $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
>
>
> # OUTBOUND POLICY:
> # Allow all outbound traffic.
>
>
> # Log & drop ALL incoming packets destined anywhere but here.
> $IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped
> by default:"
>
> --- End of rules ---
>
Your logs will eventually grow fast, think of using the 'limit'
extension for logging.
Greets
Mart
prev parent reply other threads:[~2009-08-22 11:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-21 15:41 Firewall Rules Help NICHOLAS KLINE
2009-08-22 11:42 ` Mart Frauenlob [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A8FD9A7.3090600@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
--cc=nkline@kent.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox