View previous topic :: View next topic |
Author |
Message |
stylish n00b
Joined: 22 Oct 2008 Posts: 21 Location: British Columbia Canada
|
Posted: Sat Nov 01, 2008 5:55 am Post subject: Basic iptables firewall. |
|
|
#!/bin/bash
savefirewall() {
/etc/init.d/iptables save
}
addfirewallservice() {
rc-update add iptables default
}
firewalladd() {
iptables -P INPUT DROP
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
}
echo "Installing firewall"
firewalladd
savefirewall
addfirewallservice |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Sat Nov 01, 2008 3:51 pm Post subject: |
|
|
I'd call it the «poor-man's-firewall» ... _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Nov 01, 2008 10:29 pm Post subject: |
|
|
Are you seeking advice or sharing this for the good of others? I see three different common mistakes, so I would not recommend anyone use this.
First, you have the standard mistake about loopback address versus loopback interface. I correct people on this one regularly.
Second, you allow any incoming TCP connection based solely on a source port of 53. You probably meant this to enable DNS zone transfers, but it creates a gaping hole for malicious traffic to enter over TCP. You should remove this rule entirely.
Third, you allow any incoming UDP traffic based solely on a source port of 53. This was probably meant to permit normal DNS traffic, but it creates a gaping hole for malicious traffic to enter over UDP. You should remove it and instead allow connection tracking to handle UDP so that DNS is covered via connection tracking. |
|
Back to top |
|
|
stylish n00b
Joined: 22 Oct 2008 Posts: 21 Location: British Columbia Canada
|
Posted: Sun Nov 02, 2008 12:46 am Post subject: The nameserver option. |
|
|
You can use the address of the nameserver in the iptables. I did not include that option just to make the firewall more compact. But yes it is better to use the address of the 53 nameserver protacol. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Nov 02, 2008 5:36 pm Post subject: Re: The nameserver option. |
|
|
stylish wrote: | You can use the address of the nameserver in the iptables. I did not include that option just to make the firewall more compact. But yes it is better to use the address of the 53 nameserver protacol. |
Restricting the traffic based on predetermined nameserver addresses cripples dig, and may also cause problems if you use a server that refuses to perform recursive resolution. I was not recommending to restrict traffic based on nameserver addresses, but rather to use conntrack to let the kernel handle it for you. |
|
Back to top |
|
|
|