[Cialug] IPTables Concept

Chris K. lister at kulish.com
Tue Oct 31 18:11:04 CST 2006


First, I want to thank everyone that responded to my initial questions.

Below is my initial firewall script.  The primary goals are to avoid unknown outbound connections (information leakage) and only allow new ssh connections inbound.  If you see anything that breaks these two premises, please point them out.  I have done some testing and have not been able to initiate any outbound connections outside of what I have allowed.

I appreciate anyone taking the time to look this over.

Thanks!

---Start script

# Setup variables
OURIF="eth0"
OURLO="lo"
OURIP="ip.ip.ip.ip"
OURDNS1="ip.ip.ip.ip"
OURDNS2="ip.ip.ip.ip"
OURSMTP="mx.inside.com"
OURBACK="backserv"

# Flush all chains
/sbin/iptables --flush

# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i $OURLO -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURLO -j ACCEPT


# Allowing incoming SSH (from anywhere)  
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

# Access to internal DNS server and allow responses
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d $OURDNS2 -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s $OURDNS2 -j ACCEPT

# Access to internal SMTP server and allow responses
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d $OURSMTP -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 25 -s $OURSMTP -j ACCEPT

# Allow ssh out to perform backups to our backup server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 22 -d $OURBACK -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 22 -s $OURBACK -j ACCEPT

# Access to external WWW servers and allow responses for deb packages
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d mirrors.kernel.org -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 80 -s mirrors.kernel.org -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d security.debian.org -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 80 -s security.debian.org -j ACCEPT

# Drop all inbound packets that claim to be from us..
/sbin/iptables -A INPUT -i $OURIF -s $OURIP -j DROP
 
# Drop all outbound packets that claim not to be from us.
/sbin/iptables -A OUTPUT -o $OURIF -s ! $OURIP -j DROP



More information about the Cialug mailing list