Review my iptables script?

gorshing

10-09-2005 23:48:52

I would appreciate any comments concerning my iptables script.

My way of thinking is to drop everything, then accept the things that I need. Anybody have another way of thinking?

I do have some questions that are marked in the comments.

Thanks



# Initialize all the chains by removing all the rules

# tied to them

iptables --flush

iptables -t nat --flush

iptables -t mangle --flush





echo 1 >/proc/sys/net/ipv4/ip_dynaddr

echo 1 >/proc/sys/net/ipv4/ip_forward



# Now that the chains have been initialized, the user defined

# chains should be deleted. We'll recreate them in the next step

iptables --delete-chain

iptables -t nat --delete-chain

iptables -t mangle --delete-chain





# If a packet doesn't match one of the built in chains, then

# The policy should be to drop it

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT





# Accept anything from loopback

iptables -I INPUT  -i lo -j ACCEPT

iptables -I OUTPUT -o lo -j ACCEPT





# Accept anything coming from the internal network and loopback

iptables -I INPUT 1 -i eth1 -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT





# Accept all from localhost

iptables -A INPUT -s 127.0.0.1 -j ACCEPT





# Accept all previously established connections

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT





# Accept Bittorrent

iptables -A INPUT -i eth0 -p tcp --dport 68816889 -j ACCEPT





# Accept TeamSpeak

iptables -A INPUT -i eth0 -p udp -m udp --dport 8767 -j ACCEPT 





# Allow internal network internet access

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE





# ?

iptables -t nat --policy POSTROUTING ACCEPT

iptables -t nat --policy PREROUTING ACCEPT

 



# (Webserver) Which of the following two rules are better?

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2000 -j ACCEPT

#iptables -A INPUT -i eth0 --protocol tcp --dport 2000 -j ACCEPT





# Log anything coming in on system ports, does Cox block all these already?

iptables -I INPUT -i eth0 -p tcp --dport 11024 -j LOG

iptables -I INPUT -i eth0 -p udp --dport 11024 -j LOG





#---------------------------------------------------------------

# Log anything coming inside

#---------------------------------------------------------------

#iptables -I INPUT -i eth0 -j LOG

Despite

12-09-2005 07:33:44

concerning that webserver bit I like to put a -p tcp --syn in there, which just means that the packet must have the SYN bit set and the RST and ACK bits cleared. in other words, a properly formed new connection attempt. but then for all I know, your --state NEW may do exactly the same thing, although the iptables man page isn't clear about that.

gorshing

12-09-2005 08:59:00

Thanks,

I'll look into that