You are not logged in.
Pages: 1
Hello everyone, am a new convert to the world of arch, and have to say I am enjoying things so far
I wanted to post my iptables rules and ask those in the know if they were ok, especially the ordering of them, as in XXX rule should be above YYY rule etc. I copied a lot of the DROP rules from the arch wiki.
Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp address-mask-reply
DROP icmp -- anywhere anywhere icmp address-mask-request
DROP icmp -- anywhere anywhere icmp router-solicitation
DROP icmp -- anywhere anywhere icmp router-advertisement
DROP icmp -- anywhere anywhere icmp redirect
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And a copy from the rules file in case this is easier for you to read!
# Generated by iptables-save v1.4.5 on Wed Dec 16 22:56:54 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1011:146398]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Dec 16 22:56:54 2009
Please tell me what you think
Offline
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere
I'm assuming you use one of these network spaces on your local network, so you'll probably want to remove whichever one is appropriate...
ACCEPT all -- anywhere anywhere
This allows anyone from anywhere to connect to anything that's listening on your computer. I strongly advise against this rule. Add in specific rules for anything that you want to allow connections to.
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
This would normally be one of the first rules, so established and related connections can work without being interfered with by the other rules.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Fruity wrote:DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhereI'm assuming you use one of these network spaces on your local network, so you'll probably want to remove whichever one is appropriate...
Fruity wrote:ACCEPT all -- anywhere anywhere
This allows anyone from anywhere to connect to anything that's listening on your computer. I strongly advise against this rule. Add in specific rules for anything that you want to allow connections to.
Fruity wrote:ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
This would normally be one of the first rules, so established and related connections can work without being interfered with by the other rules.
Hi fukawi2, thanks for the help
I added the local network ones following the wiki, they apparently help stop spoofing attacks 'blocking reserved private networks incoming from the internet'. For now I think they are OK, as you say I may need to remove one however.
This next one I want to ask on though, it seems a little ambiguous.. When I run;
iptables -L
..cut
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
The second line from bottom is the one in question, and it does seem to open everything.. But the odd thing is, when I look in /etc/iptables/iptables.rules the same section looks like so;
..cut
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT << Doesnt the 'lo' refer to loopback device, the keyboard(?).
It does seem to imply 2 things depending on which output you view. Of course I may not be right about the lo bit anyway!
You mentioned about RELATED,ESTABLISHED too, I will amend this and put it at the top
Any thoughts on the seeming duality in that one line -A INPUT -i lo -j ACCEPT vs ACCEPT all -- anywhere anywhere
Offline
Any thoughts on the seeming duality in that one line -A INPUT -i lo -j ACCEPT vs ACCEPT all -- anywhere anywhere
Try iptables -nvL instead of just -L
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Can you guys explain what do the numbers in square brackets mean?
:OUTPUT ACCEPT [1011:146398]
Thx
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
The numbers inside the square brackets indicates the port numbers. this guide can help.
Offline
Thanks, kgas
So, it's a range of ports, right? The reason, why I am asking is that my iptables.rules (from an old RHEL5 installation) reads:
:OUTPUT ACCEPT [1835450:668291040]
Can this be right? Everything works as expected, though...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
The numbers inside the square brackets indicates the port numbers. this guide can help.
God NO!
Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
check the script in the stateful firewall howto article in the wiki
there is a script i made in the end.
check it and you can even test it.
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
kgas wrote:The numbers inside the square brackets indicates the port numbers. this guide can help.
God NO!
Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.
sorry I misunderstood this part. Thanks fukawi2. I am using this currently for my laptop.
Offline
kgas wrote:The numbers inside the square brackets indicates the port numbers. this guide can help.
God NO!
Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.
Thanks for your responces.
No, this is not the output of iptables -L, it is the head of iptables.rules, which in turn came from RHEL5 installation, dated I think 2007 (I only modified the last few lines to protect ssh). I never run iptables-save -- no need, as long I have the saved rules already. I searched this, and many examples in the guides also have the strange :OUTPUT [X:Y] line (with nonzero X and Y). I guess, since no one actually writes any rules for this chain, the numbers do not matter...
BTW, regarding the wiki, I noticed a few advice regarding the protection against ssh brute force attacks. But there is no mention of the dynamic IP blocking (with the 'xt_recent' module), in case someone is very desperate to break in. In my experience, this is way simpler and more effective than port knocking/static blacklisting. And the log files are not filled with junk...
L.
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Pages: 1