I have read the "iptables tutorial2 by Oskar Andreasson and tried to write a reasonable ruleset for my network scenario. Not really something special but being behind a firewall of university, I hope it is acceptable as an additional security measure. Q1) Can you people be nice enough to give your ideas about how/where to improve it. Q2) I have introduced variables instead of actual ip-addresses, but these variables are not being handled correctly. I receive following error: Bad argument `Y_IP="192.168..126.31' Error occurred at line: 8 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The rule set is as following: fisw31:~/ToDo# cat /root/ToDo/iptables-save-new # Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005 *filter :INPUT DROP [808:130818] :FORWARD DROP [0:0] :OUTPUT DROP [408:29492] MY_IP="192.168..126.31" MY_MAIL_SERVER="mail.isp.com" MY_GMX_MAIL_SERVER="mail.gmx.net" MY_DNS_SERVER="192.168.102.14" MY_PROXY_SERVER="192.168.102.14" #Allow test connections from loopback to loopback -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Accept connection to/from $MY_MAIL_SERVER -A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j ACCEPT -A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport imap -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport smtp -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport imap -j ACCEPT #Accept connection to/from gmx.net -A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport pop3 -j ACCEPT -A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport pop3 -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport smtp -j ACCEPT #Allow connection to/from port 80(http),443(https),22(ssh) -A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -s $MY_IP -p tcp -m tcp --sport 443 -j ACCEPT #check for apt-get connection behaviour to http servers and change settings for iptables accordingly #allow all traffic to/from DNS server ($MY_DNS_SERVER) #-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT #-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT #connection to proxy-server ($MY_PROXY_SERVER) on port 8080 -A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p udp -m udp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p udp -m udp --sport 8080 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT # Allow ping operation -A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT #Whois connections/connection-replies to/from outside are allowed -A OUTPUT -s $MY_IP -d whois.crsnic.net -p tcp -m tcp --dport 43 -j ACCEPT -A INPUT -s whois.crsnic.net -d $MY_IP -p tcp -m tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT #Throw away uncommon TCP packets -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #Throw away unexpected packets and log valid ones -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -A INPUT -p tcp -mstate --state INVALID -m limit --limit 10/m -j LOG --log-level info #SYN-Flood-Protection -N syn-flood -A INPUT -p tcp --syn -j syn-flood -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN -A syn-flood -j DROP #HTTP-CONNECT requests to be denied #-A INPUT -p tcp -d 0/0 --dport 80 -m string --string "CONNECT" -j REJECT #Limit number of connections -A INPUT -p tcp -m limit --limit 2 -j REJECT --reject-with tcp-reset COMMIT # Completed on Fri Jul 22 18:20:59 2005 -- Luqman Munawar
Attachment:
signature.asc
Description: Digital signature
