[CentOS] IPTables help

Mon May 26 00:50:00 UTC 2008
Fajar Priyanto <fajarpri at cbn.net.id>

On Saturday 24 May 2008 21:55:57 Robert Spangler wrote:
First of all, thank you Robert for pointing some points. For the sake of 
discussion, may I say something too?
> Since you believe that he wants a very strict firewall why are you setting
> the default policy's to ACCEPT?  Security 101, strict firewall drops
> everything from the start.  Then you open the access you require, not the
> other way around.
This is my mistake I think. It's because I was assuming the setting of the 
firewall is done from another machine (ssh). Those rules are to prevent 
unaware lockout.

> >  #Allowing needed ports:
> >  iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000
> > -s ipthatyouwantallow -j ACCEPT
> >  iptables -A INPUT -i eth1 -m multiport -p udp --dport
> >  53,80,5060,10000:60000 -j ACCEPT
> >  iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT
> >  iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s
> >  ipthatyouallow -j ACCEPT
> >  iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT
>
> First question you need to ask yourself is there any hosting services on
> this box that will require a connection form the WAN side.  If not then you
> should change your input statements to allow only the LAN.  You do not
> require the INPUT statements for packets that pass through the box as the
> FORWARD will handle all traffic passing through.
The OP said that it's an Asterisk box. So it surely needs some open ports, 
doesn't it?

> Second question is if you are using ESTABLISHED,RELATED why are you not
> using NEW in the above rules?
It depends on the context and level of details needed. Pls CMIIW, if we allow 
NEW in the above rules, then ALL traffic will be matched, and thus rendering 
all subsequent rules useless. Again pls CMIIW :)

> Third question is have you enables connection tracking?  If you are using
> ESTABLISHED,RELATED then the system needs a way to keep track of the
> connection.
I believe Centos has them enabled and it will automatically loaded when the 
rules are fired up. Pls CMIIW.

> If you want a 100% secure firewall then you will not allow any INPUT.  All
> modification would have to be done from the box using a keyboard.  If this
> is not an option then you can allow access from a trusted IP only and setup
> other security options.
Yes, this is my mistake assuming wrongly. Worth noted for the OP and everyone.

> >  #For masquerading:
> >  iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE
>
> If the WAN port is connected directly to the Internet then you should MASQ
> all out going traffic and anything that is heading to 192.168.0.0/24 should
> be dropped.
You mean it should be:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ?

> >  #Finally dropping all other traffic (positive list firewall):
> >  iptables -P INPUT DROP
> >  iptables -P OUTPUT DROP
> >  iptables -P FORWARD DROP
>
> This should be at the top for the firewall not the ACCEPT you have there
> now.

> For your reading enjoyment.
> http://iptables.rlworkman.net/chunkyhtml/index.html
Yes, the Oscar's tutorial seems to be the most popular one.
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
07:46:18 up 45 min, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080526/23d3cd3e/attachment-0005.sig>