You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2010-09-02 20:21:37
- kYd
- Member
- Registered: 2009-01-20
- Posts: 78
IPtables with knockd
I'm deploying my personal fileserver/seedbox in a few days; I've done extensive research this week regarding security but I'm having a bit of a hard time with iptables, which is my final hurdle.
The only connections to and from this machine shall be SSH and bittorrent, and I want to block everything else, including web traffic.
One of the security layers in place is portknocking with knockd (I understand this is merely obscurity rather than security) and I have the following iptables executed when I knock onto the server, I believe this is what I need to accomplish this; however, I would appreciate it if someone could confirm they are right, and in the right order:
#Ports will be changed
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -I INPUT -s %IP% -p tcp --dport 22 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 6999 -i eth0 -j ACCEPT
iptables -A INPUT -p UDP --dport 6999 -i eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROPWould I need to add a rule to the output chain to allow outgoing bittorrent connections, or would this be covered by the INPUT chain as I've allowed it.
Thanks.
Last edited by kYd (2010-09-02 20:26:03)
Offline
#2 2010-09-03 13:44:46
- Noble
- Member
- Registered: 2010-06-01
- Posts: 63
Re: IPtables with knockd
As far as I can see that ruleset will not allow *any* outgoing traffic. I've researched filtering outgoing traffic, and a lot of people told me it was a bad idea because outgoing ports might be random. The solution in my case was to allow only ESTABLISHED and RELATED traffic. In other words the connection must be initiated from the computer, or been allowed in through the INPUT filter (for instance from port 6999 in your case).
The ruleset will the be as follows:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 6999 -i eth0 -j ACCEPT
iptables -A INPUT -p UDP --dport 6999 -i eth0 -j ACCEPTIts not perfectly tinfoilhat-safe, but it does the trick. You still can not control if somebody breaks your SSHD and sends commands out, but thats not the firewalls fault..
Those who give up their liberty for security,
neither deserve liberty nor freedom,
and they will lose both.
- Benjamin Franklin
Offline
#3 2010-09-03 14:14:15
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: IPtables with knockd
You can filter outgoing traffic based on destination port for common services like dns, ssh, http(s), ftp and so on but for torrents both the destination and source port are random so I guess that's not easily feasible. I guess that torrents and strict security rules in iptables do not go hand in hand (at least as far as outbound rules are concerned).
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#4 2010-09-03 17:13:00
- kYd
- Member
- Registered: 2009-01-20
- Posts: 78
Re: IPtables with knockd
Thanks for the replies, I appreciate it.
I'm going to set up a test seedbox server with the iptables given, before deploying, to see if I can correctly seed within my LAN.
Offline
Pages: 1