Re: IP Tables: starting slowly..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joel:

Thanks so much; very helpful..

On Mon, Jun 16, 2003 at 07:21:13PM -0400, Joel Newkirk wrote:
> On Mon, 2003-06-16 at 12:11, John Sage wrote:
> > hmm..  iptables itself isn't starting slowly, I'm slowly starting to
> > implement iptables.
> > 
> > I'm (finally..) migrating from ipchains, and would appreciate some
> > comment on my overall approach.
> 
> Keep in mind that FORWARD traffic goes only through the FORWARD filter
> chain, never INPUT or OUTPUT.  Those two are strictly for the iptables
> box itself.  (#1 confusion source it seems for ipchains emigrees)

Yes. Took me a few minutes to get my head around that.

I've set rules that cover all interfaces, and end with a blanket
ACCEPT, and that's made it a little clearer to understand:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 5535  541K ACCEPT     all  --  eth0   any     anywhere
  940  151K check      all  --  ppp0   any     anywhere
 2198  209K ACCEPT     all  --  lo     any     anywhere
    0     0 check      all  --  any    any     anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 3437  197K ACCEPT     all  --  eth0   any     anywhere
 2822 1127K check      all  --  ppp0   any     anywhere
    0     0 ACCEPT     all  --  any    any     anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 4999 1254K ACCEPT     all  --  any    eth0    anywhere
  718 51403 ACCEPT     all  --  any    ppp0    anywhere
 2198  209K ACCEPT     all  --  any    lo      anywhere
    0     0 ACCEPT     all  --  any    any     anywhere
<snip>


> > 1) I'm writing a minimal set of rules to account for every packet within
> > a specific chain, and not let any fall through to the default policy
> > -- which at the moment is ACCEPT -- after I'm certain there aren't any
> > packets dropping through to the policies, the default policies will
> > become DROP.
> > 
> > Good idea? Bad idea?
> 
> Not necessarily bad, but cautious is always safer.  If you log
> everything as the last rule in the chain, then the DROP policy takes
> effect,

So a LOG at the end performs a DROP, without an explicit DROP
statement following?

Oh. If the _policy's_ DROP, eh?

> you may have communications problems occasionally, but a quick
> look at the log will usually tell you what was dropped, so you can craft
> a rule to deal with it.  BTW, policy is an attribute of the chain
> itself, not a rule at the end. just:
> 
> iptables -P FORWARD DROP
> 
> > # OUTPUT:
> > /sbin/iptables -t filter -A OUTPUT \
> >  -o lo -j ACCEPT
> > /sbin/iptables -t filter -A OUTPUT \
> >  -o eth0 -j ACCEPT
> > /sbin/iptables -t filter -A OUTPUT \
> >  -o ppp0 -j ACCEPT
> 
> 
> Well, this pretty much lets anything out from the firewall box itself...

Yeah, for the moment that's OK..


> > 2) Is a default DROP rule (a rule that will catch any/everthing)
> > irrelevant on the FORWARD chain?
> 
> Far from it - most people treat a DROP rule on FORWARD and INPUT chains
> as the basic starting point.  Set a DROP policy on INPUT and FORWARD and
> then add rules to ACCEPT the desired traffic - INPUT for traffic to the
> firewall box, FORWARD for traffic from/to the machines behind it. 
> OUTPUT is less of a concern to most people, but for myself I've set a
> DROP policy there as well, and set up a dozen or so rules for the
> connections that the firewall itself needs to initiate.


> > 3) Can someone point me to a quick lesson on logging? At the moment
> > I've got the following:
> 
> http://iptables-tutorial.frozentux.net is the best tutorial around on
> iptables.  The quick and dirty:

Yup. It's excellent.

> iptables -A FORWARD -i eth0 -j LOG --log-prefix "FORWARDLogs:"
> 
> The log prefix is any string you want (within reason) and helps you find
> the log entries from a particular LOG rule with grep, among other uses. 

<snip>

> First suggestion - DROP policy on INPUT and FORWARD.

Got it..

> Second suggestion:
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> these two rules will allow replies and related traffic (like FTP data
> related to FTP control).

I go right to this via a -j check:

#  chain check:
/sbin/iptables -t filter -N check
# chain check: ACCEPT's
/sbin/iptables -t filter -A check \
  -m state --state ESTABLISHED,RELATED -j ACCEPT
:
#  chain INPUT:
/sbin/iptables -t filter -A INPUT \
  -i ppp0 -j check
:
#  chain FORWARD:
/sbin/iptables -t filter -A FORWARD \
  -i ppp0 -j check


Thanks again..


- John
-- 
"Obviously, we do not want to leave zombies around."


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux