Hi Ok, here is an update... I have added the results of iptables-save as is, without hacking anything off. ;-) I have the firewall box that is running the following... mail server on port 25 ssh server on port 22 webmin running port 10000 over SSL 443 web server on port 80 DNAT to another lan server running oracle web services on port 7783 = 7783 (from the web) DNAT to another lan server running ssh services on port 22 = 555 (from the web) My internal 192.168.100.0/255.255.255.0 is masqueraded for internet browsing and prity much everything else. The firewall itself needs to do DNS lookups, browse the net and send SMTP traffic. All that I require, stated above is working. I want to know if the config is secure, where are the holes, what are the best practices. Also, I want to log suspicious behaviour, port scans, what gets dropped etc. I am stuck with that ;-( This config is very much in TEST phase, I am on a quest to hone it, hoping to make it as robust as possible. Thanks in advance for any advice... # Generated by iptables-save v1.2.7a on Sun Apr 4 22:25:58 2004 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.100.0/255.255.255.0 -j ACCEPT -A FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 7783 -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -o ppp0 -p udp -m udp -m multiport --ports domain -j ACCEPT -A OUTPUT -o ppp0 -p tcp -m tcp -m multiport --ports http -j ACCEPT -A OUTPUT -o ppp0 -p tcp -m tcp -m multiport --ports smtp -j ACCEPT -A OUTPUT -o ppp0 -p tcp -m tcp -m multiport --ports ndmp -j ACCEPT COMMIT # Completed on Sun Apr 4 22:25:58 2004 # Generated by iptables-save v1.2.7a on Sun Apr 4 22:25:58 2004 *mangle :PREROUTING ACCEPT [1006:286916] :INPUT ACCEPT [169:78179] :FORWARD ACCEPT [834:208581] :OUTPUT ACCEPT [171:64908] :POSTROUTING ACCEPT [1005:273489] COMMIT # Completed on Sun Apr 4 22:25:58 2004 # Generated by iptables-save v1.2.7a on Sun Apr 4 22:25:58 2004 *nat :PREROUTING ACCEPT [7:348] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 555 -j DNAT --to-destination 192.168.100.6:22 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 7783 -j DNAT --to-destination 192.168.100.6:7783 -A POSTROUTING -s 192.168.100.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT # Completed on Sun Apr 4 22:25:58 2004 -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: Sunday, April 04, 2004 7:56 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Is this config OK, plus where should I be logging... On Sunday 04 April 2004 6:26 pm, Stuart Lamble wrote: > Is this config OK, plus where should I be logging... We need a bit more information in order to answer either of those questions. Two things we need to know which you haven't said are: 1. What services are supposed to be allowed from/to where, so we can comment on whether this ruleset does what you want it to? 2. What would you like to have logged, so we can advise where to do the logging? Also a few more questions added at points through your ruleset: > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth1 -j ACCEPT What is interface eth1 used for? (We don't know if it's reasonable to accept all packets from there into the firewall - we can assume, but that wouldn't be an answer to your question. Do you have only a single trusted machine there? Do you have lots of machines with possibly trusted, possibly untrusted users? Is it connected to the Internet? We need more info....) > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT Your firewall machine in running a mail client !? > -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT Your firewall machine is running a mail server !!!??? > -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -i ppp0 -p tcp -m tcp --dport 443 -j ACCEPT > -A INPUT -i ppp0 -p tcp -m tcp --dport 10000 -j ACCEPT What's that supposed to be for? > -A INPUT -i ppp0 -p udp -m udp --sport 53 -j ACCEPT > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 192.168.100.0/255.255.255.0 -j ACCEPT That's a nice way to allow spoofed packets through your firewall.... > -A FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 22 -j ACCEPT -A > FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 7783 -j ACCEPT What's that for? > -A OUTPUT -s 127.0.0.1 -j ACCEPT > -A OUTPUT -o eth1 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT You allowed in packets addressed to ports 80 and 443 - how come you only allow out reply packets from 80? > -A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT You allowed in packets to port 10000 - you don't allow the replies out again? > :PREROUTING ACCEPT [10:1191] > :POSTROUTING ACCEPT [1:48] > :OUTPUT ACCEPT [0:0] So, you set up a nice default DROP policy, added some ACCEPT rules allowing the traffic you want, and then change the policy to ACCEPT so that everything is allowed (and you don't have any DROP rules). You may as well not bother with the OUTPUT ACCEPT rules - it's all going to get ACCEPTed anyway. > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 555 -j DNAT > --to-destination 192.168.100.6:22 -A PREROUTING -i ppp0 -p tcp -m tcp > --dport 7783 -j DNAT --to-destination 192.168.100.6:7783 > -A POSTROUTING -s 192.168.100.0/255.255.255.240 -o ppp0 -j MASQUERADE You seem confused about your network size. Here you've used a 20 bit netmask - earlier you used a 24 bit (on the FORWARDing rule). Probably best to be consistent (what subnet mask are you using on the eth1 interface, and on the client machines?) Also, by the way, what happened to interface eth0? Regards, Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004
