Re: [PLUG] iptables

Tobias DiPasquale on 17 Jan 2005 21:16:42 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables

From: Tobias DiPasquale <toby@cbcg.net>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] iptables

Date: Mon, 17 Jan 2005 16:16:07 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Jan 17, 2005, at 3:42 PM, Jeff Abrahamson wrote:
I'm setting up IP tables on my lab's machines at work. (Something exists, but we don't like what's there by default.)

I'm curious what others think of this script (attached). Do you believe the comments and the code make the same statements?

I want to say for one machine that outgoing packets are allowed only if they are part of an ssh or http connection that an external party is trying to establish or has established. But I don't see how this is done.

I'm also rather unclear on how to say, "Accept packets on connections that are already established or where we've begun a handshake, regardless of port."

Anyone see any rules I ought to have that I don't?

Thanks much for any help or suggestions.

First thing: s/iptable/iptables/g

Most of the calls to iptables in this script are misspelled.

Second thing: s/DENY/DROP/g

There is no DENY policy, only ACCEPT, DROP, QUEUE and RETURN.

Thirdly, you can use the state match to trip on related or established connections. "RELATED" means that one of the stateful packet filtering extensions in netfilter (the in-kernel packet filtering engine that iptables drives) has deemed that a connection is logically related to an existing one (e.g. the command and data connections of an FTP session). ESTABLISHED means connections that are established as far as ip_conntrack is concerned; for TCP, this is a connection that has completed the three-way handshake successfully.

Something like:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

is very common as the first rule in a firewall configuration.

Fourth, iptables doesn't have a -l option. -L, which it does have, doesn't do what you would want where you have the -l specified.

Finally, as far as blocking outgoing traffic except for x, y and z, this will work:

iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

That will drop all outgoing traffic except SSH or HTTP sessions and connections that are already open or logically related to those that are already open (which in the case of HTTP is none).

My suggestion would be to check out:

http://iptables-tutorial.frozentux.net/

Best iptables tutorial out there. HTH :)

- -- Tobias DiPasquale 7A79 308C 0354 EA9C 7807 ED83 03C9 9E01 148E 7D01 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (Darwin)

iD8DBQFB7CsZA8meARSOfQERAssYAJ9OUEGGywfJmuQ8emBRej4sVwv3wACfVyej TPFry4/HppUpl9T3MzkpatE= =KOgR -----END PGP SIGNATURE-----

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] iptables
From: Stephen Gran <steve@lobefin.net>

Re: [PLUG] iptables
From: Jeff Abrahamson <jeff@purple.com>

References:

[PLUG] iptables
From: Jeff Abrahamson <jeff@purple.com>

Prev by Date: Re: [PLUG] iptables

Next by Date: Re: Participation information Re: [PLUG] Keysigning 2/2/2005

Previous by thread: Re: [PLUG] iptables

Next by thread: Re: [PLUG] iptables

Index(es):

Date

Thread