First IPTables Frackas

I decided to start firewalling all my internal servers… Ok, what that really means is I decided to try it out on a junk box.

I went for the complete “nothing in, nothing out unless I expressly permitted it” approach. Below is what I came up with (with some help from the LUG).

—-Start Script

# Setup variables

# Flush all chains
/sbin/iptables –flush

# Set default policies
/sbin/iptables –policy INPUT DROP
/sbin/iptables –policy OUTPUT DROP
/sbin/iptables –policy FORWARD DROP

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i $OURLO -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURLO -j ACCEPT

# Drop all inbound packets that claim to be from us
/sbin/iptables -A INPUT -i $OURIF -s $OURIP -j DROP

# Drop all outbound packets that claim NOT to be from us
/sbin/iptables -A OUTPUT -o $OURIF -s ! $OURIP -j DROP

# Allow any established or related connections (based on input/output rules)
/sbin/iptables -A INPUT -i $OURIF -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -m state –state ESTABLISHED,RELATED -j ACCEPT

Everything to here is pretty basic I think. Dropping everything, could careless about logging on this box. Threw in a little spoof protection as well as allowing established connections to run their course.

# Allowing incoming SSH (from anywhere)
/sbin/iptables -A INPUT -p tcp –dport 22 -j ACCEPT

I’m too lazy to walk back to the console for this thing, so I allowed ssh in from anywhere (this anywhere just happens to be from my network. No internet connectivity for this junker

# Access to internal DNS servers
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 53 -d $OURDNS2 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 53 -d $OURDNS2 -j ACCEPT

Sure, I *COULD* remember all those IPs. Or better yet, use nmap to discover everything over and over and over and ….

# Access to internal SYSLOG server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 514 -d $OURLOG -j ACCEPT

One day, I hope to be allowed on the back playground with big kids. Encrypt my syslog-ng output, look like a stud at the next lan party geekery. But stunnel pissed me off so bad today, I uninstalled it. Let that be a less to ya!

# Access to internal NTP server
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 123 -d $OURNTP1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 123 -d $OURNTP2 -j ACCEPT

If only NTP would keep track of important dates like anniversaries. Hmmm, maybe I should write up an RFC… Nah, too much work and I’m lazy as pointed out previously

# Access to internal SMTP server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 25 -d $OURSMTP -j ACCEPT

Not really necessary, but if my servers weren’t sending/receiving spam too, I’d feel lonely.

# Allow ssh out to perform backups
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 22 -d $OURBACK -j ACCEPT

Yeah! Why can’t syslog-ng work like rsync, right over ssh? Are they lazy too?

I wouldn’t try to yy/p this without removing all my snide comments between the —-s.

Hits: 29