Joel: Thanks so much; very helpful.. On Mon, Jun 16, 2003 at 07:21:13PM -0400, Joel Newkirk wrote: > On Mon, 2003-06-16 at 12:11, John Sage wrote: > > hmm.. iptables itself isn't starting slowly, I'm slowly starting to > > implement iptables. > > > > I'm (finally..) migrating from ipchains, and would appreciate some > > comment on my overall approach. > > Keep in mind that FORWARD traffic goes only through the FORWARD filter > chain, never INPUT or OUTPUT. Those two are strictly for the iptables > box itself. (#1 confusion source it seems for ipchains emigrees) Yes. Took me a few minutes to get my head around that. I've set rules that cover all interfaces, and end with a blanket ACCEPT, and that's made it a little clearer to understand: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source 5535 541K ACCEPT all -- eth0 any anywhere 940 151K check all -- ppp0 any anywhere 2198 209K ACCEPT all -- lo any anywhere 0 0 check all -- any any anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source 3437 197K ACCEPT all -- eth0 any anywhere 2822 1127K check all -- ppp0 any anywhere 0 0 ACCEPT all -- any any anywhere Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source 4999 1254K ACCEPT all -- any eth0 anywhere 718 51403 ACCEPT all -- any ppp0 anywhere 2198 209K ACCEPT all -- any lo anywhere 0 0 ACCEPT all -- any any anywhere <snip> > > 1) I'm writing a minimal set of rules to account for every packet within > > a specific chain, and not let any fall through to the default policy > > -- which at the moment is ACCEPT -- after I'm certain there aren't any > > packets dropping through to the policies, the default policies will > > become DROP. > > > > Good idea? Bad idea? > > Not necessarily bad, but cautious is always safer. If you log > everything as the last rule in the chain, then the DROP policy takes > effect, So a LOG at the end performs a DROP, without an explicit DROP statement following? Oh. If the _policy's_ DROP, eh? > you may have communications problems occasionally, but a quick > look at the log will usually tell you what was dropped, so you can craft > a rule to deal with it. BTW, policy is an attribute of the chain > itself, not a rule at the end. just: > > iptables -P FORWARD DROP > > > # OUTPUT: > > /sbin/iptables -t filter -A OUTPUT \ > > -o lo -j ACCEPT > > /sbin/iptables -t filter -A OUTPUT \ > > -o eth0 -j ACCEPT > > /sbin/iptables -t filter -A OUTPUT \ > > -o ppp0 -j ACCEPT > > > Well, this pretty much lets anything out from the firewall box itself... Yeah, for the moment that's OK.. > > 2) Is a default DROP rule (a rule that will catch any/everthing) > > irrelevant on the FORWARD chain? > > Far from it - most people treat a DROP rule on FORWARD and INPUT chains > as the basic starting point. Set a DROP policy on INPUT and FORWARD and > then add rules to ACCEPT the desired traffic - INPUT for traffic to the > firewall box, FORWARD for traffic from/to the machines behind it. > OUTPUT is less of a concern to most people, but for myself I've set a > DROP policy there as well, and set up a dozen or so rules for the > connections that the firewall itself needs to initiate. > > 3) Can someone point me to a quick lesson on logging? At the moment > > I've got the following: > > http://iptables-tutorial.frozentux.net is the best tutorial around on > iptables. The quick and dirty: Yup. It's excellent. > iptables -A FORWARD -i eth0 -j LOG --log-prefix "FORWARDLogs:" > > The log prefix is any string you want (within reason) and helps you find > the log entries from a particular LOG rule with grep, among other uses. <snip> > First suggestion - DROP policy on INPUT and FORWARD. Got it.. > Second suggestion: > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > these two rules will allow replies and related traffic (like FTP data > related to FTP control). I go right to this via a -j check: # chain check: /sbin/iptables -t filter -N check # chain check: ACCEPT's /sbin/iptables -t filter -A check \ -m state --state ESTABLISHED,RELATED -j ACCEPT : # chain INPUT: /sbin/iptables -t filter -A INPUT \ -i ppp0 -j check : # chain FORWARD: /sbin/iptables -t filter -A FORWARD \ -i ppp0 -j check Thanks again.. - John -- "Obviously, we do not want to leave zombies around."