please give suggestion

08-10-2006, 05:46 PM

hi

I am learning to use iptables, please give constructive suggestion,
thanks.
is there a short hand for "LOG then DROP" ?
will this setting work for "normal" web usage?

# my firewall setting:

# house cleaning
iptables -F

# block stupid X , it's sorta redundant , see below
iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j LOG
iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j DROP

# only allow six ip types
iptables -N IN_tcpchain
iptables -N IN_udpchain
iptables -N IN_icmpchain
iptables -N OUT_tcpchain
iptables -N OUT_udpchain
iptables -N OUT_icmpchain
iptables -N FOR_tcpchain
iptables -N FOR_udpchain
iptables -N FOR_icmpchain

iptables -A INPUT -p tcp -j IN_tcpchain
iptables -A INPUT -p udp -j IN_udpchain
iptables -A INPUT -p icmp -j IN_icmpchain
iptables -A OUTPUT -p tcp -j OUT_tcpchain
iptables -A OUTPUT -p udp -j OUT_udpchain
iptables -A OUTPUT -p icmp -j OUT_icmpchain
iptables -A FORWARD -p tcp -j FOR_tcpchain
iptables -A FORWARD -p udp -j FOR_udpchain
iptables -A FORWARD -p icmp -j FOR_icmpchain
iptables -A INPUT -p all -j LOG
iptables -A INPUT -p all -j DROP
iptables -A OUTPUT -p all -j LOG
iptables -A OUTPUT -p all -j DROP
iptables -A FORWARD -p all -j LOG
iptables -A FORWARD -p all -j DROP

# only accept udp from the two trusted name servers
iptables -A IN_udpchain -s 168.95.192.1 --sport 53 -j ACCEPT
iptables -A IN_udpchain -s 168.95.1.1 --sport 53 -j ACCEPT
iptables -A IN_udpchain -j LOG
iptables -A IN_udpchain -j DROP

# only allow dns udp going to the two servers
iptables -A OUT_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
iptables -A OUT_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
iptables -A OUT_udpchain -j LOG
iptables -A OUT_udpchain -j DROP

iptables -A FOR_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
iptables -A FOR_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
iptables -A FOR_udpchain -j LOG
iptables -A FOR_udpchain -j DROP

# no service on this system, except X
iptables -A IN_tcpchain -s localhost --syn -j ACCEPT
iptables -A IN_tcpchain --syn -j LOG
iptables -A IN_tcpchain --syn -j DROP

# only allow web traffic
iptables -A OUT_tcpchain --dport 80 -j ACCEPT
iptables -A OUT_tcpchain --dport 443 -j ACCEPT
iptables -A OUT_tcpchain -j LOG
iptables -A OUT_tcpchain -j DROP

iptables -A FOR_tcpchain --dport 80 -j ACCEPT
iptables -A FOR_tcpchain --dport 443 -j ACCEPT
iptables -A FOR_tcpchain -j LOG
iptables -A FOR_tcpchain -j DROP

# only allow echo reply coming in
iptables -A IN_icmpchain --icmp-type 0 -j ACCEPT
iptables -A IN_icmpchain --icmp-type 0 -j LOG
iptables -A IN_icmpchain --icmp-type 0 -j DROP

# only allow echo request going out
iptables -A OUT_icmpchain --icmp-type 8 -j ACCEPT
iptables -A OUT_icmpchain --icmp-type 8 -j LOG
iptables -A OUT_icmpchain --icmp-type 8 -j DROP

iptables -A FOR_icmpchain --icmp-type 8 -j ACCEPT
iptables -A FOR_icmpchain --icmp-type 8 -j LOG
iptables -A FOR_icmpchain --icmp-type 8 -j DROP

08-10-2006, 06:48 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(E-Mail Removed) wrote:
> hi
>
> I am learning to use iptables, please give constructive suggestion,
> thanks.
> is there a short hand for "LOG then DROP" ?

There isn't a /single/ default chain that will "log, then drop".
I've found it handy to write a user chain that does that function, and
just -j to that chain whenever I need to log and drop a packet.

Try something like
iptables -t filter -N log_and_drop
iptables -t filter -A log_and_drop -j LOG --log-level notice
--log-prefix "(drop) "
iptables -t filter -A log_and_drop -j DROP

and adjust your later rules to -j log_and_drop

> will this setting work for "normal" web usage?

I'd have to take a closer look at your ruleset, and I don't have the
time right now. I'll try to get back to this tonight. Sorry.. :-(

[snip]

- --
Lew Pitcher

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12

iD8DBQFE239zagVFX4UWr64RAkFXAJ94XWjUT0AYs3jK81Xc7+ ehahwVVACg0Qwq
5TCrQ04vMNRMbN6hLd0EhDk=
=+eZ6
-----END PGP SIGNATURE-----

08-10-2006, 11:21 PM

(E-Mail Removed) wrote:
> hi
>
> I am learning to use iptables, please give constructive suggestion,
> thanks.
> is there a short hand for "LOG then DROP" ?
> will this setting work for "normal" web usage?
>
> # my firewall setting:
>
> # house cleaning
> iptables -F
>
> # block stupid X , it's sorta redundant , see below
> iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j LOG
> iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j DROP
>
> # only allow six ip types

actually,
it's three types of ip packets, while counting input, output as
different,
then it's six types.
I've implicitly grouped output and forward together.

> iptables -N IN_tcpchain
> iptables -N IN_udpchain
> iptables -N IN_icmpchain
> iptables -N OUT_tcpchain
> iptables -N OUT_udpchain
> iptables -N OUT_icmpchain
> iptables -N FOR_tcpchain
> iptables -N FOR_udpchain
> iptables -N FOR_icmpchain
>
> iptables -A INPUT -p tcp -j IN_tcpchain
> iptables -A INPUT -p udp -j IN_udpchain
> iptables -A INPUT -p icmp -j IN_icmpchain
> iptables -A OUTPUT -p tcp -j OUT_tcpchain
> iptables -A OUTPUT -p udp -j OUT_udpchain
> iptables -A OUTPUT -p icmp -j OUT_icmpchain
> iptables -A FORWARD -p tcp -j FOR_tcpchain
> iptables -A FORWARD -p udp -j FOR_udpchain
> iptables -A FORWARD -p icmp -j FOR_icmpchain
> iptables -A INPUT -p all -j LOG
> iptables -A INPUT -p all -j DROP
> iptables -A OUTPUT -p all -j LOG
> iptables -A OUTPUT -p all -j DROP
> iptables -A FORWARD -p all -j LOG
> iptables -A FORWARD -p all -j DROP
>
> # only accept udp from the two trusted name servers
> iptables -A IN_udpchain -s 168.95.192.1 --sport 53 -j ACCEPT
> iptables -A IN_udpchain -s 168.95.1.1 --sport 53 -j ACCEPT
> iptables -A IN_udpchain -j LOG
> iptables -A IN_udpchain -j DROP
>
> # only allow dns udp going to the two servers
> iptables -A OUT_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
> iptables -A OUT_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
> iptables -A OUT_udpchain -j LOG
> iptables -A OUT_udpchain -j DROP
>
> iptables -A FOR_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
> iptables -A FOR_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
> iptables -A FOR_udpchain -j LOG
> iptables -A FOR_udpchain -j DROP
>
> # no service on this system, except X
> iptables -A IN_tcpchain -s localhost --syn -j ACCEPT
> iptables -A IN_tcpchain --syn -j LOG
> iptables -A IN_tcpchain --syn -j DROP
>
> # only allow web traffic
> iptables -A OUT_tcpchain --dport 80 -j ACCEPT
> iptables -A OUT_tcpchain --dport 443 -j ACCEPT
> iptables -A OUT_tcpchain -j LOG
> iptables -A OUT_tcpchain -j DROP
>
> iptables -A FOR_tcpchain --dport 80 -j ACCEPT
> iptables -A FOR_tcpchain --dport 443 -j ACCEPT
> iptables -A FOR_tcpchain -j LOG
> iptables -A FOR_tcpchain -j DROP
>
> # only allow echo reply coming in
> iptables -A IN_icmpchain --icmp-type 0 -j ACCEPT
> iptables -A IN_icmpchain --icmp-type 0 -j LOG
> iptables -A IN_icmpchain --icmp-type 0 -j DROP
>
> # only allow echo request going out
> iptables -A OUT_icmpchain --icmp-type 8 -j ACCEPT
> iptables -A OUT_icmpchain --icmp-type 8 -j LOG
> iptables -A OUT_icmpchain --icmp-type 8 -j DROP
>
> iptables -A FOR_icmpchain --icmp-type 8 -j ACCEPT
> iptables -A FOR_icmpchain --icmp-type 8 -j LOG
> iptables -A FOR_icmpchain --icmp-type 8 -j DROP

08-11-2006, 04:18 AM

(E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> > hi
> >
> > I am learning to use iptables, please give constructive suggestion,
> > thanks.
> > is there a short hand for "LOG then DROP" ?
> > will this setting work for "normal" web usage?
> >
> > # my firewall setting:
> >
> > # house cleaning
> > iptables -F
> >
> > # block stupid X , it's sorta redundant , see below
> > iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j LOG
> > iptables -A INPUT -s ! localhost -p tcp --dport 6000:6000 -j DROP
> >
> > # only allow six ip types
>
> actually,
> it's three types of ip packets, while counting input, output as
> different,
> then it's six types.
> I've implicitly grouped output and forward together.
>
> > iptables -N IN_tcpchain
> > iptables -N IN_udpchain
> > iptables -N IN_icmpchain
> > iptables -N OUT_tcpchain
> > iptables -N OUT_udpchain
> > iptables -N OUT_icmpchain
> > iptables -N FOR_tcpchain
> > iptables -N FOR_udpchain
> > iptables -N FOR_icmpchain
> >
> > iptables -A INPUT -p tcp -j IN_tcpchain
> > iptables -A INPUT -p udp -j IN_udpchain
> > iptables -A INPUT -p icmp -j IN_icmpchain
> > iptables -A OUTPUT -p tcp -j OUT_tcpchain
> > iptables -A OUTPUT -p udp -j OUT_udpchain
> > iptables -A OUTPUT -p icmp -j OUT_icmpchain
> > iptables -A FORWARD -p tcp -j FOR_tcpchain
> > iptables -A FORWARD -p udp -j FOR_udpchain
> > iptables -A FORWARD -p icmp -j FOR_icmpchain
> > iptables -A INPUT -p all -j LOG
> > iptables -A INPUT -p all -j DROP
> > iptables -A OUTPUT -p all -j LOG
> > iptables -A OUTPUT -p all -j DROP
> > iptables -A FORWARD -p all -j LOG
> > iptables -A FORWARD -p all -j DROP
> >
> > # only accept udp from the two trusted name servers
> > iptables -A IN_udpchain -s 168.95.192.1 --sport 53 -j ACCEPT
> > iptables -A IN_udpchain -s 168.95.1.1 --sport 53 -j ACCEPT
> > iptables -A IN_udpchain -j LOG
> > iptables -A IN_udpchain -j DROP
> >
> > # only allow dns udp going to the two servers
> > iptables -A OUT_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
> > iptables -A OUT_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
> > iptables -A OUT_udpchain -j LOG
> > iptables -A OUT_udpchain -j DROP
> >
> > iptables -A FOR_udpchain -d 168.95.192.1 --dport 53 -j ACCEPT
> > iptables -A FOR_udpchain -d 168.95.1.1 --dport 53 -j ACCEPT
> > iptables -A FOR_udpchain -j LOG
> > iptables -A FOR_udpchain -j DROP
> >
> > # no service on this system, except X
> > iptables -A IN_tcpchain -s localhost --syn -j ACCEPT
> > iptables -A IN_tcpchain --syn -j LOG
> > iptables -A IN_tcpchain --syn -j DROP
> >
> > # only allow web traffic
> > iptables -A OUT_tcpchain --dport 80 -j ACCEPT
> > iptables -A OUT_tcpchain --dport 443 -j ACCEPT
> > iptables -A OUT_tcpchain -j LOG
> > iptables -A OUT_tcpchain -j DROP
> >
> > iptables -A FOR_tcpchain --dport 80 -j ACCEPT
> > iptables -A FOR_tcpchain --dport 443 -j ACCEPT
> > iptables -A FOR_tcpchain -j LOG
> > iptables -A FOR_tcpchain -j DROP
> >
> > # only allow echo reply coming in
> > iptables -A IN_icmpchain --icmp-type 0 -j ACCEPT
> > iptables -A IN_icmpchain --icmp-type 0 -j LOG
> > iptables -A IN_icmpchain --icmp-type 0 -j DROP
> >
> > # only allow echo request going out
> > iptables -A OUT_icmpchain --icmp-type 8 -j ACCEPT
> > iptables -A OUT_icmpchain --icmp-type 8 -j LOG
> > iptables -A OUT_icmpchain --icmp-type 8 -j DROP
> >
> > iptables -A FOR_icmpchain --icmp-type 8 -j ACCEPT
> > iptables -A FOR_icmpchain --icmp-type 8 -j LOG
> > iptables -A FOR_icmpchain --icmp-type 8 -j DROP

I've made some errors, I've written another one and tested it.
(I've included LOG_DROP

It ran OK as far as being funtional.
Can someone give me some suggestion, thanks

The new tested firewall:
# house cleaning
iptables -F

iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level notice --log-prefix "(drop) "
iptables -A LOG_DROP -j DROP

# only allow three types of IP packets
iptables -N IN_tcpchain
iptables -N IN_udpchain
iptables -N IN_icmpchain
iptables -N OUT_tcpchain
iptables -N OUT_udpchain
iptables -N OUT_icmpchain
iptables -N FOR_tcpchain
iptables -N FOR_udpchain
iptables -N FOR_icmpchain

# allow local traffic
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# divert all else
iptables -A INPUT -p tcp -j IN_tcpchain
iptables -A INPUT -p udp -j IN_udpchain
iptables -A INPUT -p icmp -j IN_icmpchain
iptables -A OUTPUT -p tcp -j OUT_tcpchain
iptables -A OUTPUT -p udp -j OUT_udpchain
iptables -A OUTPUT -p icmp -j OUT_icmpchain
iptables -A FORWARD -p tcp -j FOR_tcpchain
iptables -A FORWARD -p udp -j FOR_udpchain
iptables -A FORWARD -p icmp -j FOR_icmpchain
iptables -A INPUT -p all -j LOG_DROP
iptables -A OUTPUT -p all -j LOG_DROP
iptables -A FORWARD -p all -j LOG_DROP

# only accept DNS UDP from the two trusted name servers
iptables -A IN_udpchain -s 168.95.192.1 -p udp --sport 53 -j ACCEPT
iptables -A IN_udpchain -s 168.95.1.1 -p udp --sport 53 -j ACCEPT
iptables -A IN_udpchain -j LOG_DROP

# only allow DNS UDP going to the two servers
iptables -A OUT_udpchain -d 168.95.192.1 -p udp --dport 53 -j ACCEPT
iptables -A OUT_udpchain -d 168.95.1.1 -p udp --dport 53 -j ACCEPT
iptables -A OUT_udpchain -j LOG_DROP
iptables -A FOR_udpchain -d 168.95.192.1 -p udp --dport 53 -j ACCEPT
iptables -A FOR_udpchain -d 168.95.1.1 -p udp --dport 53 -j ACCEPT
iptables -A FOR_udpchain -j LOG_DROP

# only allow echo reply coming in
iptables -A IN_icmpchain -p icmp --icmp-type 0 -j ACCEPT
iptables -A IN_icmpchain -p icmp --icmp-type 0 -j LOG_DROP

# only allow echo request going out
iptables -A OUT_icmpchain -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUT_icmpchain -p icmp --icmp-type 8 -j LOG_DROP
iptables -A FOR_icmpchain -p icmp --icmp-type 8 -j ACCEPT
iptables -A FOR_icmpchain -p icmp --icmp-type 8 -j LOG_DROP

# no service on this system, except X
iptables -A IN_tcpchain -p tcp --syn -j
LOG_DROP
iptables -A IN_tcpchain -p tcp --sport 80 -j
ACCEPT
iptables -A IN_tcpchain -p tcp --sport 443 -j
ACCEPT
iptables -A IN_tcpchain -j
LOG_DROP

# only allow web traffic
iptables -A OUT_tcpchain -p tcp --dport 80 -j ACCEPT
iptables -A OUT_tcpchain -p tcp --dport 443 -j ACCEPT
iptables -A OUT_tcpchain -j LOG_DROP
iptables -A FOR_tcpchain -p tcp --dport 80 -j ACCEPT
iptables -A FOR_tcpchain -p tcp --dport 443 -j ACCEPT
iptables -A FOR_tcpchain -j LOG_DROP

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
only suggestion	wifi	Wireless Internet	1	04-03-2006 03:31 PM
suggestion	wifi	Wireless Internet	2	04-01-2006 04:04 PM
Gigabit Hub suggestion	OR	Linux Networking	4	10-07-2005 01:11 PM
1mb ISP suggestion please	Jim	Broadband	4	04-20-2005 06:55 AM
Looking for VPN suggestion	Sandeep Gupta	Linux Networking	0	10-16-2003 09:53 PM