Bad Filter Set?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 09 November 2002 4:43 pm, Dan Egli wrote:

> As Requested: Firewall Rule Set:

This is a *really* long (= complicatedf) firewall ruleset, given the 
requirements you posted earlier.

I really do recommend that you start from something simple and build it up 
gradually instead of starting out with something so difficult to debug as 
this.

There are a number of things in your script which I'd comment on:

> USERCHAINS=" EXT-input EXT-output \
> tcp-state-flags connection-tracking \
> source-address-check destination-address-check \
> local-dns-server-query remote-dns-server-responce \
> local-tcp-client-request remote-tcp-server-responce \
> remote-tcp-client-request local-tcp-server-responce \
> local-udp-client-request remote-udp-server-responce \
> remote-udp-client-responce \
> EXT-icmp-out EXT-icmp-in \
> EXT-log-in EXT-log-out \
> log-tcp-state "

Why on earth do you have so many user defined chains ?   Did you try putting 
rules into INPUT or FORWARD and get problems ?   Or do you just like having 
lots of chains with a rule pointing to each one ?

> # at this point we have a wide open firewall

Correct - don't you think that is a bad thing ?   It would be better to start 
with a closed firewall and slowly open it to allow traffic you want.   You 
should never have a "wide open firewall", even for a short time during 
startup.

> # default policy is reject packets
> /sbin/iptables -t nat --policy PREROUTING ACCEPT
> /sbin/iptables -t nat --policy OUTPUT ACCEPT
> /sbin/iptables -t nat --policy POSTROUTING ACCEPT
> /sbin/iptables -t mangle --policy PREROUTING ACCEPT
> /sbin/iptables -t mangle --policy OUTPUT ACCEPT

These rules do not do what the comment above them says.   Nowhere can I see 
that you have set a (recommended) default DROP policy on the filter tables in 
the INPUT and FORWARD chains.   The comment on the above rules might lull you 
into a false sense of security if you do not also read the rules and realise 
that they do not reject packets.

 
Finally, looking through your entire ruleset, I cannot see any references to 
the FORWARD chain, therefore you will not be allowing or filtering any 
packets through your firewall - which is what I think you wanted to do ?   
All the rules I can see are for INPUT and OUTPUT so they relate only to the 
firewall machine itself.
 

I really do recommend that you start with a simple ruleset which is 
sufficiently secure to plug into the Internet, and then build it up from 
there.

Try this:

# default drop policy into and through the firewall
iptables -P INPUT DROP
iptables -P FORWARD DROP

# allow established and related connections through
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow anything from internal net to Internet - can be tightened up later,
# but at least at least we only allow outbound stuff
iptables -A FORWARD -i eth0 -j ACCEPT

# masquerade all outbound packets so we get the replies back
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 64.122.31.38

# allow packets to be routed through the machine
echo 1 >/proc/sys/net/ipv4/ip_forward
 

Antony.

-- 

If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux