On Wed, 05 Aug 2009 15:20:18 +0200, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > Julien Vehent wrote: >> Hello Nicholas, >> >> >> On Mon, 27 Jul 2009 13:56:59 -0400, NICHOLAS KLINE <nkline@xxxxxxxx> >> wrote: >> >>> Hi, >>> >>> I have a fresh install of Ubuntu 8.x desktop edition running on a >>> laptop. Before I plug the laptop into a public network and proceed to >>> patch it, I want to make sure I have a secure firewall in place. >>> >>> This particular system will not be running any server services such as >>> HTTPD, SSH, FTP, etc. Inbound traffic should be denied unless an >>> outbound connection was first established. >>> I will mostly be using a wired internet connection but I might switch >>> to wireless once in awhile. >>> >>> After reading a few Linux security books, I have a decent set of >>> firewall rules almost ready to put into place. The only rule >>> preventing me from putting the firewall in place is: >>> > ... > >>> # Set default-deny policies for all chains. >>> # User-defined chains cannot be assigned default policies. >>> $IPTABLES -P INPUT DROP >>> $IPTABLES -P FORWARD DROP >>> $IPTABLES -P OUTPUT DROP >>> >>> $IPTABLES -t nat -P PREROUTING DROP >>> $IPTABLES -t nat -P OUTPUT DROP >>> $IPTABLES -t nat -P POSTROUTING DROP >>> >>> $IPTABLES -t mangle -P PREROUTING DROP >>> $IPTABLES -t mangle -P OUTPUT DROP >>> >>> >> >> I don't like the default policy because you can't log anything in these >> rules. >> I prefer to put at the end of the ruleset something like >> -------- >> echo "Default log drop, at the end so we just drop what doesn't match >> the >> previous rules" >> $IPT -N LOGDROP >> $IPT -A LOGDROP -j LOG --log-prefix "DROP => " --log-level debug >> $IPT -A LOGDROP -j DROP >> >> $IPT -A INPUT -i $NETCARD -j LOGDROP >> $IPT -A OUTPUT -o $NETCARD -j LOGDROP >> -------- >> that allows you to log and then drop, instead of just dropping. >> >> >> > Why not just put a log rule as the final rule and let the policy drop > the packet? That way there's less rules and traffic gets logged and > dropped. > You would not log the firewall's decision then. Only the packet details. > ... >>> # Log & drop ALL incoming packets destined anywhere but here. >>> # (We already set the default FORWARD policy to DROP. But this is >>> # yet another free, reassuring redundancy, so why not throw it in?) >>> >>> $IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped >>> by default:" >>> $IPTABLES -A FORWARD -j DROP >>> >> >> >> FORWARD is processed after INPUT and OUTPUT. If you drop in those two >> chains, you shouldn't need to do anything in FORWARD. >> >> >> > hm, I think this is not right. > After the routing deciscion, packets either go to INPUT, OUTPUT or > FORWARD chain. > If the OP is not 'routing' traffic not originated from his box, the > FORWARD chain will not be used at all, so a simple policy drop will do > the job (log before if wanted). > Correct me if I'm wrong please. > Uh.. Shame on me. You are actually right on this. It's PREROUTING or POSTROUTING that are processed before FORWARD. > greets > > Mart > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- julien http://jve.linuxwall.info/blog -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
