Tobias DiPasquale on 17 Jan 2005 21:16:42 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 17, 2005, at 3:42 PM, Jeff Abrahamson wrote:
I'm setting up IP tables on my lab's machines at work.  (Something
exists, but we don't like what's there by default.)

I'm curious what others think of this script (attached).  Do you
believe the comments and the code make the same statements?

I want to say for one machine that outgoing packets are allowed only
if they are part of an ssh or http connection that an external party
is trying to establish or has established.  But I don't see how this
is done.

I'm also rather unclear on how to say, "Accept packets on connections
that are already established or where we've begun a handshake,
regardless of port."

Anyone see any rules I ought to have that I don't?

Thanks much for any help or suggestions.

First thing: s/iptable/iptables/g

	Most of the calls to iptables in this script are misspelled.

Second thing: s/DENY/DROP/g

	There is no DENY policy, only ACCEPT, DROP, QUEUE and RETURN.

Thirdly, you can use the state match to trip on related or established connections. "RELATED" means that one of the stateful packet filtering extensions in netfilter (the in-kernel packet filtering engine that iptables drives) has deemed that a connection is logically related to an existing one (e.g. the command and data connections of an FTP session). ESTABLISHED means connections that are established as far as ip_conntrack is concerned; for TCP, this is a connection that has completed the three-way handshake successfully.

Something like:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

is very common as the first rule in a firewall configuration.

Fourth, iptables doesn't have a -l option. -L, which it does have, doesn't do what you would want where you have the -l specified.

Finally, as far as blocking outgoing traffic except for x, y and z, this will work:

iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

That will drop all outgoing traffic except SSH or HTTP sessions and connections that are already open or logically related to those that are already open (which in the case of HTTP is none).

My suggestion would be to check out:

http://iptables-tutorial.frozentux.net/

Best iptables tutorial out there. HTH :)

- --
Tobias DiPasquale
7A79 308C 0354 EA9C 7807  ED83 03C9 9E01 148E 7D01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (Darwin)

iD8DBQFB7CsZA8meARSOfQERAssYAJ9OUEGGywfJmuQ8emBRej4sVwv3wACfVyej
TPFry4/HppUpl9T3MzkpatE=
=KOgR
-----END PGP SIGNATURE-----

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug