You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2008-01-10 23:40:17
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
securing iptables
I think I understand some basic concepts of iptables, but there are a few things i'm unsure about. So far, I setup my iptables rules as per the HowTo on the ArchWiki with one small change to block ICMP. I am connected to a LAN via eth0 and ip is assigned by DHCP:
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X
# iptables -N open
# iptables -N interfaces
# iptables -A INPUT -p icmp -j [b]REJECT[/b]
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -j interfaces
# iptables -A INPUT -j open
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A interfaces -i lo -j ACCEPT
# /etc/rc.d/iptables saveAs I understand it, this is pretty secure. However, i'm not entirely sure what this line does:
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTI assume that the incoming(??) connection that is already running over eth0 is prevented from being blocked?
Also, is there any iptables hardening I should do to become more secure over a LAN? I've seen various functions in Firestarter that seem to hint to this being possible ('Block Broadcasts From External Network' and 'Block Broadcasts From Internal Network') but am unsure if they are entirely necessary. I imagine the rules will be fairly complicated and beyond the scope of my knowledge, so they might not be worth the effort to try and incorporate.
Many thanks.
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
#2 2008-01-11 00:17:32
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: securing iptables
here is my rough template for iptables.
http://cactuswax.net/p/eliott/configs/iptables.txt
I have taken to using firehol a bit lately though. They syntax reminds me *a bit* of pf.
Anyway.. the line you listed allows traffic IN, that was originated by the machine itself. For example, if it makes a connection to the archlinux.org webserver, a connection in iptables connection tracking (ip_conntrack) table is added. The return traffic is allowed in by that rule, as well as any other return traffic associated with that specific tcp stream.
hope that helps.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2008-01-11 12:22:59
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: securing iptables
Thanks cactus, that clears it up!
I think i'm going to try and restrict outgoing connections now. I see you've setup logging - something i'm probably going to avoid for the minute until I finish setting up all the rules I want.
Many thanks.
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
Pages: 1