On Sunday 25 May 2008 20:50, Fajar Priyanto wrote: > On Saturday 24 May 2008 21:55:57 Robert Spangler wrote: > First of all, thank you Robert for pointing some points. For the sake of > discussion, may I say something too? Certainly. > > Since you believe that he wants a very strict firewall why are you > > setting the default policy's to ACCEPT? Security 101, strict firewall > > drops everything from the start. Then you open the access you require, > > not the other way around. > > This is my mistake I think. It's because I was assuming the setting of the > firewall is done from another machine (ssh). Those rules are to prevent > unaware lockout. It doesn't matter if you are trying to prevent unwanted lockout or not. Once the rules are loaded they are set. If they are set so that another machine (ssh) is not to have access then it will not have access. > > > #Allowing needed ports: > > > iptables -A INPUT -i eth0 -m multiport -p udp --dport > > > 5060,10000:60000 -s ipthatyouwantallow -j ACCEPT > > > iptables -A INPUT -i eth1 -m multiport -p udp --dport > > > 53,80,5060,10000:60000 -j ACCEPT > > > iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT > > > iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 > > > -s ipthatyouallow -j ACCEPT > > > iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT > > > > First question you need to ask yourself is there any hosting services on > > this box that will require a connection form the WAN side. If not then > > you should change your input statements to allow only the LAN. You do > > not require the INPUT statements for packets that pass through the box > > as the FORWARD will handle all traffic passing through. > > The OP said that it's an Asterisk box. So it surely needs some open ports, > doesn't it? I really don't know. I do not know this setup. If it does then I would look into using an old 486 or Pentium for a firewall and setting this box up to be in a DMZ. > > Second question is if you are using ESTABLISHED,RELATED why are you not > > using NEW in the above rules? > > It depends on the context and level of details needed. Pls CMIIW, if we > allow NEW in the above rules, then ALL traffic will be matched, and thus > rendering all subsequent rules useless. Again pls CMIIW :) With IPTABLES once a rule matches and is accepted it stops processing the packet and sends it on it's way. NEW does not stop IPTABLES from processing the packet as it is supposed to, it just applies the rule if the packet is new. This is why you place ESTABLISHED,RELATED at the top of your rule sets and use the NEW statement in your rules. Let us take a look at the following rules set for an example. This could be applied to a web server in a DMZ. iptables INPUT -p DROP iptables OUTPUT -p DROP iptables FORWARD -p DROP iptables INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables INPUT -i eth0 -j DROP **(I always place this statement)** iptables OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables OUTPUT -o eth1 -j DROP **(I always place this statement) ** First an explanation. This rules set allows connections to a web server but does not allow the web server to start it's own connections. It is used to block an affected web server from infecting other systems. On the OUTPUT rule set if you place a LOGing rule you would then see when the server was affected and just how much traffic it tries to push. As a packet enters the firewall for port 80 and checks it against it's rule set. The first rule it comes to is ESTABLISHED,RELATED. Since there is nothing in the conntrack table for an entry. Since none are there it sends the packet on it's way. The next rule is for port 80. The packet is compared to this rule to see if it matches. It also checks the conntrack table to see if it is there. since it is not it is considered a NEW connection so the rule say it is a match. It adds the information needed to the conntrack table and ACCPEPTs the packet. Processing finished. Now the next packet enters the firewall and it is first checked by the ESTABLISHED,RELATED rule. Since this packet comes from the same source and there is an entry in the conntrack table for this source the rule matches and the packet is allowed to pass. Processing is finished. This continues all the time. Every packet is checked against the ESTABLISHED,RELATED rule and if the source is listed for that port then the firewall allows it through without further processing. This is done to speed up the firewall. Every rule has to be processed until one is matched as ACCEPT. This requires processing power. The less the system has to process a packet the faster it becomes. Now lets say you don't use the NEW as in your rules set. Now every packet has to traverse the rule set each time because there is no NEW rule to add it to the conntracking table. Now lets say that you have a couple hundred rules in your firewall. Now the packet has to traverse the entire rule set everything it comes in. This will slow down your firewall. This type of firewall is known as CONNECTIONLESS. meaning it doesn't care if the packet was seen before or not, it must traverse the chain. I hope this has given you a better understanding of how IPTABLES works. > > Third question is have you enables connection tracking? If you are > > using ESTABLISHED,RELATED then the system needs a way to keep track of > > the connection. > > I believe Centos has them enabled and it will automatically loaded when > the rules are fired up. Pls CMIIW. It load the conntracking table but there are more. This was just to get you thinking. > > If you want a 100% secure firewall then you will not allow any INPUT. > > All modification would have to be done from the box using a keyboard. > > If this is not an option then you can allow access from a trusted IP > > only and setup other security options. > > Yes, this is my mistake assuming wrongly. Worth noted for the OP and > everyone. > > > > #For masquerading: > > > iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j > > > MASQUERADE > > > > If the WAN port is connected directly to the Internet then you should > > MASQ all out going traffic and anything that is heading to > > 192.168.0.0/24 should be dropped. > > You mean it should be: > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ? Correct. If you are not MASQ all traffic that leave this interface and it leave with 192.168.0.0/24 then the machine on the Internet will not know how to get back to your network. 192.168.0.0/24 is not routed on the Internet. > > > #Finally dropping all other traffic (positive list firewall): > > > iptables -P INPUT DROP > > > iptables -P OUTPUT DROP > > > iptables -P FORWARD DROP > > > > This should be at the top for the firewall not the ACCEPT you have there > > now. > > > > For your reading enjoyment. > > http://iptables.rlworkman.net/chunkyhtml/index.html > > Yes, the Oscar's tutorial seems to be the most popular one. Yes there is a lot of good information in there. I hope I was able to help you with your quest. -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos