You are not logged in.

Pages: 1

#1 2010-05-01 05:57:21

psycroptic
Member
Registered: 2008-08-31
Posts: 20

wanting a run-down of my iptables config (secure, efficient, etc.)

hey everybody. smile


so, i've been using Arch as a very basic server for my little ol' network for about 3 or 4 years now, and i can definitely say that it performs simply flawlessly. software-side i've yet to run into ANYthing that it couldn't do, it's never crashed, and it's solid as an effing rock. of course there's been the learning curve/speed bumps along the way, but of all the linux distros i've used this one seems to me to be the most logical and, frankly, simple one out there. In particular, the wiki you guys have is excellent; i've pretty much learned basic administration from it (along with a handful of other sites.) coming from a staunch Windows-only mindset several years ago, i would definitively label myself a convert wink

now, my server does basic networking & file services for my network. I use BIND for local & caching DNS, dhcpd for DHCP, and samba for file serving purposes (it's actually kinda sweet; I've got 3 1TB drives setup on software raid w/LVM for backup on all my systems \m/)

up until yesterday, my network still had a linksys wireless router as the gateway between the LAN and the modem/WAN. my mobo in my server happens to have 2 network jacks, so.... i figured i'd take a stab at seeing if i can convert the server into a router itself! thanks to y'alls wiki, i basically followed the instructions in this article (http://wiki.archlinux.org/index.php/Router) using iptables to manage routing & NAT.

so far, everything seems to be working fine; configuration of iptables, as far as i can tell, went over without a hitch, and immediately i was able to get internet access from all computers while still having local DNS/DHCP working. but, as i did just learn/do this yesterday, i figured i might turn to you guys just to possibly verify that my rules look ok and, most importantly, are setup as a safe, effective firewall.

below is the output of iptables -nvL. the open port 12345 is for bittorrent on my desktop. eth0 is my external port going to the modem, and eth1 goes to my switch for my LAN (static IP 172.16.0.1):

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  192 20655 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 6977  523K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
  774  152K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
99382   52M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  494 17639 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW
35957   12M OPEN-UDP   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW
  713 36874 OPEN-TCP   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW
35957   12M REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
  713 36874 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
19108  989K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 TCPMSS clamp to PMTU
6862K 3121M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
99987   11M fw-interfaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0
60454 7203K fw-open    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 73035 packets, 6255K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OPEN-TCP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345

Chain OPEN-UDP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:12345

Chain fw-interfaces (1 references)
 pkts bytes target     prot opt in     out     source               destination
39533 3737K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain fw-open (1 references)
 pkts bytes target     prot opt in     out     source               destination
 8224  453K ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.0.10         tcp dpt:12345
52230 6750K ACCEPT     udp  --  *      *       0.0.0.0/0            172.16.0.10         udp dpt:12345

anything you guys see should be changed? thanks in advance for those who take the time to read/reply!

Offline

#2 2010-05-01 18:46:12

Sin.citadel
Member
Registered: 2008-01-22
Posts: 267

Re: wanting a run-down of my iptables config (secure, efficient, etc.)

for more security, for the WAN interface for which you do not expect any inbound traffic, you should create a rule for allowing RELATED and ESTABLISHED traffic, and drop all other traffic, also, it is better to use interface names for all rules (personal preference, but explicit is always better than implicit), also, do not use reject, simply use DROP as reject takes extra CPU cycles and network traffic since a reply is sent.

Offline

Pages: 1

Board footer

Powered by FluxBB