-1

UPDATE

Boy am I glad I asked. OK, I'll try again and post another question.

I'd like to set up a CentOS 5.3 host to allow only ping, ssh, httpd, and SSL connections.

After reading a tutorial and attempting to create a config here's where I'm at...

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

It looks to me as though I've accomplished my goal, but I thought I would double check with the experts here.

Anything look drastically wrong?

Community
  • 1
Agvorth
  • 2,429
  • 4
  • 28
  • 29
  • As Unix admin, I am not quite sure, but the first ACCEPT permits all traffic, isn't it? – TiFFolk Nov 14 '09 at 23:58
  • another tip... show counters for the filter table it's iptables -L -nv it will show you what rules of yours are being hit. I believe TiFFolk is right btw. – xenoterracide Nov 15 '09 at 05:39

3 Answers3

3

your policies (except output) should be set to drop (the following code assumes no rules in place)

start with this


iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

now add any other services that you may need listening on an interface


iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

don't use reject unless you limit it... remember for every packet sent that's rejected one will be sent back this can create a lot of traffic. I say just don't use it

I've got a thing I wrote for desktop usage here

xenoterracide
  • 1,476
  • 2
  • 12
  • 26
2

It looks like you are set to deny anything trying to use TCP to communicate with the local host. I would avoid that, because there are several legitimate things[citation needed] that would be prevented by that.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
  • yeah dropping stuff on lo == bad you'll note in my answer I specifically allow everything on lo. I found it ultimately to hard to manage a localhost otherwise. – xenoterracide Nov 15 '09 at 05:35
1

The only thing drastically wrong is that you're blocking ICMP. Very very bad idea. This breaks PMTU discovery. Just let ICMP through.

I'm assuming you've just added this in for testing, but:

ACCEPT     all  --  anywhere             anywhere

allows all traffic. So, this ruleset does nothing.

You're also breaking:

  • internal services talking on loopback (rule should say "packets not coming in on lo")
  • ping replies (let ICMP through!)

Suggestions:

  • Why not add state NEW to your dpt:http and dpt:https as well?
MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • then it would not only have to check for port 80 but new state as well if it's not INVALID,RELATED, or ESTABLISHED it's new. that would add a minor inefficiency. – xenoterracide Nov 15 '09 at 05:30
  • It would also close a theoretical hole where anybody can send arbitrary packets to http/https ports. – MikeyB Feb 01 '10 at 19:15