IPTables - Going Stateless

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "       - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux