Hello netfilter users. I would like your opinion on the script below. Before that you will need to know a bit about my configuration. I have an ADSL line (ppp0) and two ethernet cards. Eth0 is directly connected to the DSL modem. Eth1 is connected to my LAN (192.168.100.0/255.255.255.0). This range is masqueraded. I want the following services on my firewall server to be accessible from the internet (22,25,80,443,10000), not good idea I know, but cost constraints... I have a server on the LAN that is hosting ssh and 7783, oracle web server. I have a dnat for this server 555 = 22, and 7783 = 7783. Once again cost constraints. I have allowed pritty much any port from the LAN out to the internet, will still work on restricting this on the FORWARD rules, not too worried about this yet ;-), however, I will want prevent kazaa etc. I am also a little restrictive on what goes out from the firewall server itself, I have limited it to certain ports only. I have tested everything from the a machine on the internet inwards, from the Lan outwards, and from the firewall itself outwards. Everything is working as expected, so based on that I think I have it right. My question is, am I sufficiently covered on what comes in from the internet. Can I do more on my INPUT table to prevent spoofing, DOS attachs, and whatever else is suspicious? Thanks in advance, Stuart. # # IPTABLES script # # some kernel flag settings # # preventing smurf amplification attacks /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # do not accept source routed packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # dissable icmp redirect acceptance /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # enable bad error message protection /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # initial cleanup iptables -F iptables -X iptables -Z # INPUT table iptables -P INPUT DROP iptables -A INPUT -i ppp0 -p tcp -m tcp ! --tcp-flags SYN SYN -m state --state NEW -j DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s 192.168.100.0/255.255.255.0 -i eth1 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 22,25,80,443,10000 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j LOG --log-prefix "IN-Default-drop " # FORWARD table iptables -P FORWARD DROP iptables -A FORWARD -s 192.168.100.0/255.255.255.0 -i eth1 -j ACCEPT iptables -A FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A FORWARD -d 192.168.100.6 -p tcp -m tcp --dport 7783 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "Drop-INV-FWD " iptables -A FORWARD -m state --state INVALID -j DROP # OUTPUT table iptables -P OUTPUT DROP iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT iptables -A OUTPUT -o ppp0 -p udp -m udp -m multiport --ports 53 -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp -m tcp -m multiport --dports 21,22,25,80,443 -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp -m tcp -m multiport --sports 25,53,80,443,10000 -j ACCEPT iptables -A OUTPUT -o ppp0 -p icmp -j ACCEPT iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Drop-INV-OUT " iptables -A OUTPUT -m state --state INVALID -j DROP # NAT table iptables -t nat -P PREROUTING ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 555 -j DNAT --to-destination 192.168.100.6:22 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 7783 -j DNAT --to-destination 192.168.100.6:7783 iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -s 192.168.100.0/255.255.255.0 -o ppp0 -j MASQUERADE # The end --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.656 / Virus Database: 421 - Release Date: 4/9/2004
