On Saturday 24 May 2008 21:55:57 Robert Spangler wrote: First of all, thank you Robert for pointing some points. For the sake of discussion, may I say something too?
Since you believe that he wants a very strict firewall why are you setting the default policy's to ACCEPT? Security 101, strict firewall drops everything from the start. Then you open the access you require, not the other way around.
This is my mistake I think. It's because I was assuming the setting of the firewall is done from another machine (ssh). Those rules are to prevent unaware lockout.
#Allowing needed ports: iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s ipthatyouwantallow -j ACCEPT iptables -A INPUT -i eth1 -m multiport -p udp --dport 53,80,5060,10000:60000 -j ACCEPT iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s ipthatyouallow -j ACCEPT iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT
First question you need to ask yourself is there any hosting services on this box that will require a connection form the WAN side. If not then you should change your input statements to allow only the LAN. You do not require the INPUT statements for packets that pass through the box as the FORWARD will handle all traffic passing through.
The OP said that it's an Asterisk box. So it surely needs some open ports, doesn't it?
Second question is if you are using ESTABLISHED,RELATED why are you not using NEW in the above rules?
It depends on the context and level of details needed. Pls CMIIW, if we allow NEW in the above rules, then ALL traffic will be matched, and thus rendering all subsequent rules useless. Again pls CMIIW :)
Third question is have you enables connection tracking? If you are using ESTABLISHED,RELATED then the system needs a way to keep track of the connection.
I believe Centos has them enabled and it will automatically loaded when the rules are fired up. Pls CMIIW.
If you want a 100% secure firewall then you will not allow any INPUT. All modification would have to be done from the box using a keyboard. If this is not an option then you can allow access from a trusted IP only and setup other security options.
Yes, this is my mistake assuming wrongly. Worth noted for the OP and everyone.
#For masquerading: iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE
If the WAN port is connected directly to the Internet then you should MASQ all out going traffic and anything that is heading to 192.168.0.0/24 should be dropped.
You mean it should be: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ?
#Finally dropping all other traffic (positive list firewall): iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
This should be at the top for the firewall not the ACCEPT you have there now.
For your reading enjoyment. http://iptables.rlworkman.net/chunkyhtml/index.html
Yes, the Oscar's tutorial seems to be the most popular one.