RE: Quick help with stateless firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There are no ICMP rules at all in your example , I would reckon you need 2 rules on a stateless firewall ( atleast ).

ONE for ICMP type 8 on OUTPUT ( your machine sending ECHO REQUEST ) , not need as long as you have ACCEPT for all OUTPUT .
and ONE for ICMP type 0 on INPUT ( other machines sending ECHO REPLY back to your machine ) .

/sbin/iptables -A OUTPUT -p icmp -icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -icmp-type 0 -j ACCEPT

If you want others to be able to ping your machine you do the reverse way with the rules !

And since you ONLY need 2 services , you may want to remove this rule 
/sbin/iptables -A INPUT -p tcp --dport 1000:65535 -j ACCEPT

If you need to allow for outgoing return traffic you should allow source-services you need/use .
/sbin/iptables -A INPUT -p tcp --sport 80 --dport 1025:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 53 --dport 1025:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 53 --dport 1025:65535 -j ACCEPT

And same for OUTPUT ( unless you continue with all ACCEPT )
/sbin/iptables -A OUTPUT -p tcp --dport 80 --sport 1025:65535 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 53 --sport 1025:65535 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 --sport 1025:65535 -j ACCEPT
Or just
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

As a common rule with stateless firewalls YOU might wanna accept 2 more ICMP types

/sbin/iptables -A OUTPUT -p icmp -icmp-type 3 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -icmp-type 11 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -icmp-type 11 -j ACCEPT

Type 3 is used for all types of "unreachable" messages , and type 11 is "time exceed" -
most commonly used for traceroute replies , but it is also sent for packets that travel "too far" :)


Best regards
André Paulsberg
Senior Network Engineer 
Core Network
Operation, Network, Nordic Operations
andre.paulsberg@xxxxxxxx
M +47 xxx yyyyy


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux