RE: IPTables configuration.
The call of PAROLE for TCP DST 80 paquets isnt restrictive enough.
I would call that rule only this way :
replace
384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
with a rule like :
/sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE
in the PUB_IN chain
So that (nearly) only SYN packets go through that rule, not forget TCP
session packets.
Your firewall allows all OUT, that is not a bad policy if you trust all
users and applications you run.
I would agree with that policy for a personnal firewall as this seems to be.
I don't really like the general looking of the rest (some useless chains,
some useless calls).
The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in it
will never match any packet.
Maybe you want to LOG some packets in that rule, that is another option.
Chains INT_IN and INT_OUT are never used, delete them.
Call to chain PUB_OUT is useless, and could be forgotten, as well as that
chain.
This seems to be a very "tiny" (personnal) firewall.
Probably most important in all I said : set the NEW state in incoming TCP 80
packets.
The rest is just to make your rules cleaner, it doesn't modify the way the
firewall works.
> -----Original Message-----
> From: Tore Nilsson [mailto:iceydee@bredband.net]
> Sent: Wednesday 4 December 2002 15:13
> To: DEFFONTAINES Vincent
> Cc: debian-security@lists.debian.org
> Subject: Re: IPTables configuration.
>
>
> Hi!
>
> The machine is a standalone web server. I've been getting a bunch of
> portscans and some weird logs in my webserver logs. I'd like to block
> those ip's completely. However, I'm nut quite sure where in
> this setup I'd
> put them. I was thinking they'd go into PAROLE.
>
> Here's the output of "iptables -L -n -v":
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP tcp -- !lo * 0.0.0.0/0
> 127.0.0.0/8
> 74607 20M ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 1 208 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 224.0.0.0/4
> 0.0.0.0/0
> 331K 39M PUB_IN all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 2 packets, 244 bytes)
> pkts bytes target prot opt in out source
> destination
> 77803 17M PUB_OUT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
>
> Chain INT_IN (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain INT_OUT (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain PAROLE (4 references)
> pkts bytes target prot opt in out source
> destination
> 443 22260 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain PUB_IN (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 3
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 0
> 1 56 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 11
> 384 19428 PAROLE tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 5 240 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:23 state INVALID,NEW limit: avg
> 5/sec burst 8 LOG
> flags 0 level 4 prefix `audit'
> 51 2524 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:21 state INVALID,NEW limit: avg
> 5/sec burst 8 LOG
> flags 0 level 4 prefix `audit'
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:143 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 3 140 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:110 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 7 332 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:79 state INVALID,NEW limit: avg
> 5/sec burst 8 LOG
> flags 0 level 4 prefix `audit'
> 6 360 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:111 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:512 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:513 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:98 state INVALID,NEW limit: avg
> 5/sec burst 8 LOG
> flags 0 level 4 prefix `audit'
> 7 380 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 state INVALID,NEW limit: avg
> 5/sec burst 8 LOG
> flags 0 level 4 prefix `audit'
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:1980 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 0 0 LOG udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:31337 state INVALID,NEW limit: avg
> 5/sec burst 8
> LOG flags 0 level 4 prefix `audit'
> 145 47167 DROP icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 331K 39M DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain PUB_OUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 77803 17M ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> ----- Original Message -----
> From: "DEFFONTAINES Vincent" <Vincent.DEFFONTAINES@coe.int>
> To: <debian-security@lists.debian.org>
> Sent: Wednesday, December 04, 2002 2:45 PM
> Subject: RE: IPTables configuration.
>
>
> > To correctly audit your configuration, I need an output of
> > "/sbin/iptables -L -n -v"
> > The mere "/sbin/iptables -L [-n]" is not sufficient to me,
> cause it won't
> > reveal the per interface filters.
> >
> > Vincent
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Tore Nilsson [mailto:iceydee@bredband.net]
> > > Sent: Wednesday 4 December 2002 14:23
> > > To: debian-security@lists.debian.org
> > > Subject: IPTables configuration.
> > >
> > >
> > > Hello!
> > >
> > > Can someone review my iptables configuration and give suggestions?
> > > Btw. if I'd want to block someone completely using this
> configuration
> > > should I put them in "Parole" by using this command:
> > >
> > > iptables -A PAROLE -s [ip-number] -j DROP
> > >
> > > //Tore Nilsson
> > >
> > > here's my configuration. btw, it was made with Bastille:
> > >
> > > Chain INPUT (policy DROP)
> > > target prot opt source destination
> > > DROP tcp -- anywhere 127.0.0.0/8
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > ACCEPT all -- anywhere anywhere
> > > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> > > PUB_IN all -- anywhere anywhere
> > > DROP all -- anywhere anywhere
> > >
> > > Chain FORWARD (policy DROP)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > DROP all -- anywhere anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > PUB_OUT all -- anywhere anywhere
> > >
> > > Chain INT_IN (0 references)
> > > target prot opt source destination
> > > ACCEPT icmp -- anywhere anywhere
> > > DROP all -- anywhere anywhere
> > >
> > > Chain INT_OUT (0 references)
> > > target prot opt source destination
> > > ACCEPT icmp -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain PAROLE (4 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain PUB_IN (1 references)
> > > target prot opt source destination
> > > ACCEPT icmp -- anywhere anywhere icmp
> > > destination-unreachable
> > > ACCEPT icmp -- anywhere anywhere
> > > icmp echo-reply
> > > ACCEPT icmp -- anywhere anywhere icmp
> > > time-exceeded
> > > PAROLE tcp -- anywhere anywhere
> > > tcp dpt:www
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:telnet
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:ftp
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:imap2
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:pop3
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:finger
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:sunrpc
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:exec
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:login
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere tcp
> > > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG
> > > level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:ssh
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG tcp -- anywhere anywhere
> > > tcp dpt:1980
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > LOG udp -- anywhere anywhere
> > > udp dpt:31337
> > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > > prefix `audit'
> > > DROP icmp -- anywhere anywhere
> > > DROP all -- anywhere anywhere
> > >
> > > Chain PUB_OUT (1 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org
> > >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
>
Reply to: