*nix Thread, iptables firewall rules in Technical; Ive got my squid box exposed to the internet so its acting as the gateway for the network, its got ...
28th April 2009, 06:41 PM #1
iptables firewall rules
Ive got my squid box exposed to the internet so its acting as the gateway for the network, its got all ports open to the outside world on it. What firewall rules should i be using to give me decent protection. Currently ive got a one to drop all traffic that isnt established or related but that isnt a good level of protection is it?
IDG Tech News
28th April 2009, 06:48 PM #2
i would unplug your network from the internet until you have some protection.
28th April 2009, 06:48 PM #3
Depending how you've done it, it's fine. (why, what else do you think it should do?) You should be dropping in the default for the incoming chain and have an exception in for established or related.
Originally Posted by Jackd
If it's the gateway though, rather than just a filtering server, presumably you already have it set up to do NAT and forwarding?
28th April 2009, 07:45 PM #4
Thats the blocking rule ive got and yes ive got some masquerading rules too for it, but is that ok or do i need other rules for it to be better?
-A INPUT -m state -i eth0 ! --state ESTABLISHED,RELATED -j DROP
28th April 2009, 08:07 PM #5
Reverse that rule and make the chain default to drop, and add a rule to allow established and related connections. Something like this (substituting $EDEV for your external interface, $IDEV for your internal interface, and $RANGE for your IP range, eg 192.168.0.0/24):
iptables --flush #flush out existing rules
iptables -A INPUT -p tcp --dport 22 -s $RANGE -j ACCEPT #example: allow incoming SSH
iptables -A INPUT -p tcp --dport 80 -s $RANGE -j ACCEPT #example: allow incoming HTTP
iptables -P INPUT DROP #finally, drop all other packets
iptables -A FORWARD -i -j ACCEPT #forwarding from internal to external
iptables -t nat --flush #flush NAT rules
iptables -t nat -A POSTROUTING -o $EFACE -j MASQUERADE #enable NAT masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward #enable packet forwarding
iptables -P FORWARD DROP #finally, drop other forward traffic
By localzuk in forum EduGeek.net Site Problems
Last Post: 21st February 2009, 04:59 PM
Last Post: 17th September 2008, 03:56 PM
Last Post: 23rd December 2007, 11:19 PM
Last Post: 9th November 2005, 02:54 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread