On Wednesday 2005-August-31 10:57, Michael Ellerbeck wrote:
> Trying to setup rules that will only allow connections in on telnet,
> DNS, and DHCP Also the telnet rule should only allow connections that
> are destined for 10.0.0.1
Is this a local IP of the machine? Complete information gets better
answers. See, if that is so, perhaps you are wanting to restrict telnet
to a LAN which is under your control. The best way to do that is not by
IP, because IP's can be spoofed. Control it by incoming interface.
You should also only bind your telnetd to the internal interface. It's
poor practice to rely solely on your firewall for security.
> So setting all initials chains to drop
> {$IPTABLES} -P INPUT DROP
That doesn't look like good shell syntax to me. "${IPTABLES}"? Why the
curly braces at all?
> {$IPTABLES} -P OUTPUT DROP
Why this?
> {$IPTABLES} -P FORWARD DROP
>
> $IPTABLES -A INPUT -p tcp -i eth1 -d 10.0.0.1 --dport 23 -m state
> --state NEW,ESTABLISHED -j ACCEPT
The "-i eth1" is what I was talking about above. You don't need the
state matching here.
> Is it OK to do this on the INPUT?
Not knowing if 10.0.0.1 is a local IP, how are we to know?
> This box is also a router, will the
> iptables happen before any routing happens.
That's answered in "man iptables" section "TABLES". No, routed packets
will never hit your filter table INPUT chain.
> I guess my question is
> one of order. When a packet comes in will it be handled by the
> iptables INPUT first?
If destination IP is local (bound to a local interface), yes. Otherwise
see above.
> How can I safely allow outgoing packets?
What is "safely"? I do very little filtering of OUTPUT. My choice for
safety and functionality is "iptables -P OUTPUT ACCEPT".
> To allow DNS and DHCP in can I do something like
>
> $IPTABLES -A INPUT -p tcp -i eth1 --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT #DNS
What about UDP?
[word wrapping fixed ]
> $IPTABLES -A INPUT -p tcp -i eth1
> --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT #DHCP
> $IPTABLES -A INPUT -p tcp -i eth1 --dport 68 -m state
> --state NEW,ESTABLISHED -j ACCEPT #DHCP
Useless. Or to be precise, DHCP does not use TCP.
$ grep ^bootp /etc/services
bootps 67/tcp dhcps #Bootstrap Protocol Server
bootps 67/udp dhcps #Bootstrap Protocol Server
bootpc 68/tcp dhcpc #Bootstrap Protocol Client
bootpc 68/udp dhcpc #Bootstrap Protocol Client
That's a lie. These are only UDP. You need to allow 67/udp coming in.
> How can I allow these ports out?
See above. Also please see the Packet Filtering HOWTO which, for me,
made it all start to make sense. You also have to know something about
the services you are running: what ports and protocols they need.
> Thank you for your help!
I tried to read your mind ... probably tried too hard.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
