TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:16582] Firewalls revisited...

I coudl use it too.  Put it up somewhere for people to see.  Doesn't filtering
out cifs prevent people from getting to your machine through windows
networking?  

Scott Dier - dieman <dieman@ringworld.org> writes:

> On Mon, 24 Apr 2000, ^chewie wrote:
> 
> > 	DON'T set the default policy to DENY.
> > 	(e.g. ipchains -P input DENY)
> Actually, do, but dont miss any packets with the below rule :)
> 
> > 	Append a LAST rule in the input, output, and forward chains that DENY
> > 	and log any missed packets instead...
> 
> I have a LDROP chain that i put just after my drops...
> 
> # excerpts from my iptables setup script
> 
> $IPTABLES --new LDROP 2>/dev/null
> $IPTABLES -A LDROP --proto tcp -j LOG --log-level info \
>                                            --log-prefix "TCP Drop "
> echo -n "."
> $IPTABLES -A LDROP --proto udp -j LOG --log-level info \
>                                            --log-prefix "UDP Drop "
> echo -n "."
> $IPTABLES -A LDROP --proto icmp -j LOG --log-level info \
>                                            --log-prefix "ICMP Drop "
> echo -n "."
> $IPTABLES -A LDROP --proto gre -j LOG --log-level info \
>                                            --log-prefix "GRE Drop "
> echo -n "."
> $IPTABLES -A LDROP -f -j LOG --log-level emerg \
>                                   --log-prefix "FRAGMENT Drop"
> echo -n "."
> $IPTABLES -A LDROP -j DROP
> echo -n "."
> 
> $IPTABLES -A INPUT --src $LOCALIP -i ! lo -j LDROP
> 
> # I have a whole ton of icmp rules here too.
> 
> echo -n "Logging rules"
> # Who cares about cifs lookups
> $IPTABLES -A INPUT --proto udp --dport 137:138 -j DROP
> $IPTABLES -A OUTPUT --proto udp --dport 137:138 -j DROP
> $IPTABLES -A INPUT --proto udp --dport 67:67 -j DROP
> echo -n "."
> 
> # Same goes for irc server paranoia.
> $IPTABLES -A INPUT --proto tcp --syn --dport 1080 -j DROP 
> echo -n "."
> 
> # Log anything else"
> $IPTABLES -A INPUT -i ! lo --proto tcp --syn --j LDROP
> echo -n "."
> 
> # Log low port UDP
> $IPTABLES -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP
> echo -n "."
> 
> RPC_UDP=`rpcinfo -p localhost|perl -n -e '/.*udp\s+(\d+)\s+/ && print
> $1,"\n"'|s
> ort -u`
> for port in $RPC_UDP; do
>   $IPTABLES -A INPUT -i ! lo --proto udp --dport $port -j LDROP
> done 
> echo -n "."
> 
> echo "Done"
> 
> 
> ask if you want the whole script.  I use state based filtering to deal
> with it too :)
> 
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> whee!
> 
> -- 
> Scott Dier <dieman@ringworld.org> #nicnac@efnet 612.301.0265
> http://www.ringworld.org/  finger:dieman@destiny.ringworld.org
> 
> Wait. Watch. Wonder.
> 	-J
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org

-- 
Jon Schewe 
http://eggplant.mtu.net/~jpschewe
schewe@tcfreenet.org