[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] IPTables-Problem



Hi there,

someone who can give me an advice for my firewallscript?

Suse Linux 8.1
Kernel 2.4.19
-- in /etc/sysconfig and-so-on all Susefirewall, suseconfigs deleted.

Gateway with eth0 = extern, eth1 = intern.

I took a book about firewall-design as blueprint and then adpted it to our
situation here.
the machine should be a router between a private network and  the internet.

i can do pop, http et.al. with policy set to

iptables -P OUTPUT/FORWARD/INPUT ACCEPT
with policy set to

iptables -P O/F/I DROP

nothing works except icmp; no dns, no http, no pop or smtp.
I can set the icmp-chain to DROP and then pinging from the gateway is
disabled, so the rules basically seems to work well.

with iptables -P ACCEPT on all 3 chains everything works fine; but what
about security then?

i´m a bit confused about that; anyone a suggestion what my fault might be.

!!The use of iptables -P .... DROP at the beginning as well as at the end of
the script was recommended by the author of the book, Wolfgang Barth!!
 
here´s the entire script:

echo ³firewall initialising²

# variables

iptables="/usr/sbin/iptables"

ex="eth0"
in="eth1"

ns="x.x.x.x"

# Default Policy: 

$iptables -P INPUT     DROP
$iptables -P FORWARD   DROP
$iptables -P OUTPUT    DROP


# flush everything

$iptables -F
$iptables -t nat -F    # NAT
$iptables -X

# local  

$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT  -i lo -j ACCEPT


# Forwarding and Masquerading

$iptables -t nat -A POSTROUTING -o $ex -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

# connections

$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state NEW,INVALID -j DROP

# icmp

$iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$iptables -A INPUT  -p ICMP --icmp-type echo-request -j ACCEPT

# Nameserver

$iptables -A FORWARD -i $in -o $ex -m state --state NEW,ESTABLISHED,RELATED
-d $ns -j ACCEPT
$iptables -A FORWARD -i $ex -o $in -m state --state NEW,ESTABLISHED,RELATED
-s $ns -j ACCEPT

# HTTP

$iptables -A FORWARD -i $in -o $ex -m state --state NEW,ESTABLISHED,RELATED
-p TCP --dport http -j ACCEPT


# POP und SMTP

$iptables -A FORWARD -i $in -o $ex -m state --state ESTABLISHED,RELATED -p
TCP --dport http -j ACCEPT
$iptables -A FORWARD -i $ex -o $in -m state --state ESTABLISHED,RELATED -p
TCP --dport http -j ACCEPT

# the remainder:

$iptables -A FORWARD -o $ex -j LOG --log-level info --log-prefix out_
$iptables -A FORWARD -i $ex -j LOG --log-level info --log-prefix in_

$iptables -A INPUT   -j DROP
$iptables -A FORWARD -j DROP
$iptables -A OUTPUT  -j DROP

echo ³firewall up²

-- 

http://www.ruebenschweine.de
Try also: http://www.warzenpower.de +++ http://www.lars-und-sandra.de +++
http://www.r100rt.de

Diese email wurde automatisch generiert, Sie können deshalb nicht darauf
antworten;

webmaster@xxxxxxxxxxxxxx