Re: [PLUG] my first fw rules

Martin DiViaio on Tue, 24 Dec 2002 17:50:30 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my first fw rules

From: Martin DiViaio <scatterbrained@usermail.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] my first fw rules

Date: Tue, 24 Dec 2002 17:40:44 -0500 (EST)

Delivery-date: Tue, 24 Dec 2002 17:50:30 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

You may want to try: $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp --icmp-type 4 -m limit --limit 2/sec -j ACCEPT in your ICMP section. You will also need to specifically allow ICMP type 5 from your default gateway if you have any other routers on your network that route any other network segments. (Does that make sence?) Lastly, you may want to consider spliting up some or all of your rules in to their own table(s)/chain(s) and just have one rule in the INPUT table to send packets to the other table. This can allow easier control of various sections of the table by simply deleting/adding a single rule from the INPUT table while still keeping the ruleset in place for examimation. This will change your processing overhead. In some cases it can add overhead in others it can conserve it. YMMV. On the 24th day of December in the year 2002 you wrote: > Date: Tue, 24 Dec 2002 14:07:38 -0500 (EST) > From: epike@isinet.com > To: plug@lists.phillylinux.org > X-Spam-Status: No, hits=0.6 required=5.0 tests=NO_REAL_NAME version=2.20 > Subject: [PLUG] my first fw rules > > Hi list.. > > I've finally able to write my own firewall rules, I'd appreciate > it if somebody comments or hints for general suggestions, thanks! > (this is my first try). > > I'm getting the hang of it and it seems to work; though if I'm > missing something let me know, much appreciated. > > (the server is behind a linksys router so its on > the 192.168.1 network, configured as the DMZ host). > > e pike > > --------- > > #! /bin/sh > ################################################################### > # SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY > # > # OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc) > # 2. Log everything else thats not allowed, then drop them > # > # JondZ Mon Dec 23 16:12:14 EST 2002 > #################################################################### > > VERSION="JondZ 12/2002" > WAN_DEVICE=eth0 > WAN_DEVICE_BROADCAST=192.168.1.255/24 > TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128 > UDP_OPENPORTS=53,137,138,139 > > IPTABLES=/sbin/iptables > > echo "$0 ($VERSION): Starting custom firewall..." > > ########################################################### > # INITIALIZE CHAINS > ########################################################### > echo "$0: initializing chains..." > $IPTABLES -F INPUT > $IPTABLES -F OUTPUT > $IPTABLES -F FORWARD > $IPTABLES -X > $IPTABLES -Z > > #############################################3 > # IMPLEMENT DEFAULT DRACONIAN POLICIES > #############################################3 > echo "$0: applying default policies..." > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD DROP > > ############################################# > # lo CONNECTIONS > ############################################# > echo "$0: Accepting lo connections..." > $IPTABLES -A INPUT -i lo -j ACCEPT > > ############################################# > # LOG FORWARDING ATTEMPTS > ############################################# > $IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED " > > > ############################################# > # DROP BROADCAST PACKETS > ############################################# > # echo "$0: accepting broadcast packets.." > # $IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT > > ############################################# > # INCOMING TCP CONNECTIONS for WAN_DEVICE > ############################################# > echo "$0: Allowing TCP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state INVALID -j DROP > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state NEW -m multiport \ > --destination-port $TCP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m limit --limit 3/s -j LOG --log-prefix "TCP_IN " > > ################################################# > # INCOMING UDP CONNECTIONS for WAN_DEVICE > ################################################# > echo "$0: Allowing UDP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state NEW -m multiport \ > --destination-port $UDP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m limit --limit 3/s -j LOG --log-prefix "UDP_IN " > > ############################################# > # INCOMING ICMP CONNECTIONS > ############################################# > echo "$0: allowing some ICMP Connections..." > > ################################################################# > # ICMP TYPES (incomplete) > # -------------------------- > # (ideas gathered from fw script of vogt@hansenet.com) > # > # 0 - echo reply > # 8 - echo > # 3 - Destination Unreachable > # 11 - Time Exceeded > # 30 - Traceroute > # > # Ping - udp types 0,8 > # destination unreachable - 3 > # traceroute - 11,30 > #################################################################### > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 0 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 8 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 3 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 11 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 30 -j ACCEPT > _________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce > General Discussion -- http://lists.netisland.net/mailman/listinfo/plug > _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] my first fw rules
From: epike@isinet.com

References:

[PLUG] my first fw rules
From: epike@isinet.com

Prev by Date: RE: FW: [PLUG] SAMBA Server

Next by Date: Re: [PLUG] gnome question

Previous by thread: Re: [PLUG] my first fw rules

Next by thread: Re: [PLUG] my first fw rules

Index(es):

Date

Thread