Quote:>I dail up using DSL and my interface device is ppp0. I don't have any
>other computers connected to this one (so I don't need NAT, right?).
Quote:>I only want usual browsing, IRC, and also that I should be able to
>connect from my univ. to my home. I dont' host any webpages and have
>no need for ftp server.
Quote:>Since I am newbie yet, I have all the services switched off, till I
>can get a reasonable set of rules figures out.
Quote:>What do you have to say about the following?
Mostly fine; some comments interleaved with your script, and proposal for
an alternative script in the end, along with some discussion.
>#Firewall configuration written by HSS.
>#allow everything on loopback so that my own computer is able to access
>#over the loopback interface
>$IPTBLS -A INPUT -i lo -p all ACCEPT
>$IPTBLS -A OUTPUT -o lo -p all ACCEPT
"-p all" is the default, if no "-p XXX" specified. Also, you don't need
to separately accept the local interface traffic on output, as I don't
see you limiting the outbound traffic any way.
Quote:>#allow these services
>$IPTBLS -A INPUT -p tcp --dport 22 -j ACCEPT # accept ssh
Slight problem here -- you're allowing _anything_ to your SSH port,
including various TCP flag scans - as you're dropping the suspicious
TCP flag combinations only later. I'll return to my solution to this
issue later in the message.
Quote:># Bad TCP flags
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
This I _think_ (but still haven't seen clear documentation, and neither
have gone through the documentation) that you can drop with
iptables -A INPUT -m state --state INVALID -j DROP
Quote:>#ICMP (0=Pong,3=Dest.Unreach,11=Time Exceeded,8=Ping)
>$IPTBLS -A INPUT -p icmp --icmp-type 0 -j ACCEPT
>$IPTBLS -A INPUT -p icmp --icmp-type 3 -j ACCEPT
>#$IPTBLS -A INPUT -p icmp --icmp-type 11 -j ACCEPT
>$IPTBLS -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>$IPTBLS -A INPUT -p icmp -j DROP
More or less, the only icmp type you need to specifically is the ICMP
echo (type 8). The others are always _related_ to some "connection" you
already have. "Connection" in quotations above, as here I talk about
connections as iptables sees them; so not TCP connections but connections
registered to the iptables connection cache - so in this sense connection
may also be UDP.
Quote:>$IPTBLS -A INPUT -p udp --dport 33434 -j REJECT # Traceroute default port
>$IPTBLS -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
This needs to be much earlier.
Quote:># Drop everything else
>$i -A INPUT -j DROP
Can be done with "policy DROP".
So, here's my version of what you had above:
# Drop all packets not otherwise matched
iptables -P INPUT DROP
# Delete all rules form the input chain;
# this allows you to run this script multiple times consequently,
# so f.ex. allows you to just update the rules in this script and
# re-run the script to have the changes take effect
iptables -F INPUT
# Accept anything and everything from the local interface
iptables -A INPUT -i lo -j ACCEPT
# Drop packets in an invalid state
# You might also put the explicit TCP flag rules from your original
# script here.
iptables -A INPUT -m state --state INVALID -j DROP
# Allow all return packets for traffic that was initiated from this
# host; also allow all packets for previously accepted inbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow starting new SSH connections from remote machines
iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT
# Reject packets to the traceroute port, thus responding to
# traceroute requests
iptables -A INPUT -p udp --dport 33434 -j REJECT
# Accept incoming ICMP ping requests; all connection-related ICMP is
# already accepted by the "RELATED,ESTABLISHED" rule
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
So, after the "RELATED,ESTABLISHED" rule, allow only packets that
establish a new connection (though, non-SYN TCP packets not already
belonging to an established connection, should be dropped by the
"INVALID" rule, if I understand correctly).
For example, if someone now sends a ACK (or FIN) packet to your
SSH port, the packet will not be accepted, if there wasn't already
an established SSH connection to which the packet belongs. With
your model, the SSH accept was so early that these invalid packets
would've been accepted for some processing at least.
You might also want to REJECT incoming connection requests for tcp/auth
(ident), as some servers (at least some FTP servers, some SMTP servers)
try to do an ident lookup to find more about your identity when you're
connecting, and can wait for up to 30 seconds or so to get the response.
So, when connecting to these sites, if you just drop their ident query,
you'll have an avoidable 30s delay.
Wolf a.k.a. Juha Laiho Espoo, Finland
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)