You are not logged in.
- Topics: Active | Unanswered
#1 2006-12-28 16:39:12
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Need help with iptables rules
I have two network interfaces. ppp0 and eth0
ppp0 is the one connected to the internet.
I just installed squid which uses eth0 to serve as a proxy server to the computers on the local network.
ppp0 uses a dynamic address 172.16.108.xxx
eth0 uses a statoc address 10.0.116.1
Currently, the following iptables rules are set:
# Generated by iptables-save v1.3.7 on Thu Dec 28 21:14:34 2006
*nat
:PREROUTING ACCEPT [720:51236]
:POSTROUTING ACCEPT [96:5772]
:OUTPUT ACCEPT [96:5772]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3128 -j DNAT --to-destination 10.0.116.1
COMMIT
# Completed on Thu Dec 28 21:14:34 2006
# Generated by iptables-save v1.3.7 on Thu Dec 28 21:14:34 2006
*mangle
:PREROUTING ACCEPT [1730:555857]
:INPUT ACCEPT [1018:505335]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1087:318352]
:POSTROUTING ACCEPT [1087:318352]
COMMIT
# Completed on Thu Dec 28 21:14:34 2006
# Generated by iptables-save v1.3.7 on Thu Dec 28 21:14:34 2006
*raw
:PREROUTING ACCEPT [1730:555857]
:OUTPUT ACCEPT [1087:318352]
COMMIT
# Completed on Thu Dec 28 21:14:34 2006
# Generated by iptables-save v1.3.7 on Thu Dec 28 21:14:34 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1087:318352]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 172.16.108.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 172.16.108.0/24 -i ppp0 -m state --state NEW -j DROP
-A INPUT -i ! ppp0 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -i ppp0 -o ppp0 -j REJECT --reject-with icmp-port-unreachable
-A fw-open -d 10.0.116.1 -p tcp -m tcp --dport 3129 -j ACCEPT
COMMIT
# Completed on Thu Dec 28 21:14:34 2006I'm extremely paranoid about ppp0. I still need to secure ppp0. How do I do that? I don't know much about firewall.
Offline
#2 2006-12-28 16:57:34
- ralvez
- Member
- From: Canada
- Registered: 2005-12-06
- Posts: 1,718
- Website
Re: Need help with iptables rules
The most practical way to protect yourself is "to see" from outside what's open with your current set up, and if it is not needed close it.
I typically use Shields UP to test, they are here: http://www.grc.com/x/ne.dll?rh1dkyd2
I also have smooth wall running (have now for a few years) and have to say that I'm very happy and so far I've not been cracked.
Hope this helps.
R
edit: When you get to the Shields UP web site, click on "All service ports" to test your set up.
Offline
#3 2006-12-28 17:13:18
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Re: Need help with iptables rules
Shields UP only hit my dsl ISP and not ppp0
Offline
#4 2006-12-28 18:05:50
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Re: Need help with iptables rules
I simply need help setting up some iptables rules.
Offline
#5 2006-12-28 20:39:16
- Romashka
- Forum Fellow
- Registered: 2005-12-07
- Posts: 1,054
Re: Need help with iptables rules
I simply need help setting up some iptables rules.
The wiki page might be helpful. Especially "More info" section with links.
to live is to die
Offline
#6 2006-12-28 20:55:10
- chrismortimore
- Member
- From: Edinburgh, UK
- Registered: 2006-07-15
- Posts: 655
Re: Need help with iptables rules
Looks pretty secure to me. Your INPUT is set to DROP, and you have a rule saying ACCEPT anything that doesn't come from ppp0, so unless you explicitly allow something on ppp0, should should be pretty secure.
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB Maxtor DiamondMax 10, 2x320GB WD Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB IBM TravelStar, Nvidia 5200Go 64MB
Offline
#7 2006-12-28 22:57:27
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Re: Need help with iptables rules
I got some help from tigsa on freenode and this is the output:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-N SCANDROP
-A SCANDROP -m limit --limit 4/minute -j LOG --log-prefix scan
-A SCANDROP -j DROP
-N LOGDROP
-A LOGDROP -m limit --limit 4/minute -j LOG
-A LOGDROP -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
# folllowing line is for blocking icmp requests on ppp0
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type echo-request -j DROP
-A INPUT -i ppp0 -s 127.0.0.1 -j LOGDROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j SCANDROP
-A INPUT -i ppp0 -p udp --sport 67 -d 255.255.255.255/32 --dport 68 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j LOGDROP
-A INPUT -j LOGDROP
COMMITShould be enough?
Offline