Re: Firewalll script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



system@eluminoustechnologies.com wrote:
Hi All,

Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. My aim is very simple to close all unused ports. My entire scripts goes like this. Can you please help me in correcting the script.
Your ssh connection hangs because you close off communication to port 22. The lines:
> echo "Allow SSH(22/tcp)"
> $IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
Are wrong, as you want to match the destination port on input and sport on output.

In general, it is not considered offensive to have and
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
which will also make the rules alot simpler. For starters, I would even recomment that you allow all outgoing packets.

The lines:
> echo "Disabling IP Spoofing attacks"
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
Are somewhat incorrect. It should be '1' and not '2'. I have seen many scripts and tutorials with this misconseption of what to set where, but in the kernel source says 0|1.

> echo "Logging martians (packets with impossible addresses)"
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
This is incorrect. The setting determines if packets violating RFC1122 should be logged or not. Setting this to '1', disables logging.

Hope it helps.

Regards
Anders Fugmann

--
Author of FIAIF.
FIAIF is an intelligent firewall
http://fiaif.fugmann.dhs.org




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux