Re: iptables problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Lord of Gore <lordofgore@xxxxxxxxxxxxxx>:

[ deleted some good advice ]
Actually, if you look into his rules, he was configuring the system that allows outgoing connections to limited set of services, and accepting incomming connections only on port 25 (SMTP). The system also seems to be DHCP client. Or at least that was the way he attempted to construct his firewall rules. Unless he got everything totally messed up.
Something like this. Again, not tutorial, just an example that could be closed down a bit more than it is now. 

# define filter table and set default policy to DROP in all chains
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# some generic stuff, no need to go wild with RELATED
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# this could be closed down a bit to allow only unreachable and ttl exceeded
-A INPUT -p icmp -m state --state RELATED -j ACCEPT

# smtp service running on this host
-A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# accept DHCP replies, assuming IP address of DHCP server is known
# and we always get address on fixed network.  replace dhcp-server
# and local-network with appropriate IP addresses
-A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d local-network -j ACCEPT 

# log
-A INPUT -j LOG --log-prefix="INPUT "

# unless this host is router, no rules in FORWARD chain
# other than logging
-A FORWARD -j LOG --log-prefix="FORWARD "

# again some generic stuff
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state RELATED -j ACCEPT

# allow this host to access these services, and nothing else
-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# Allow this system to request and renew its IP address, this
# could be closed down a bit more, but not much gain in doing it
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

# log the rest
-A OUTPUT -j LOG --log-prefix="OUTPUT "



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux