On 16 March 2010 09:46, john lewis <zen57162@???> wrote:
> On Mon, 15 Mar 2010 23:30:59 +0000
> Graham Bleach <graham@???> wrote:
>> There are heaps of guides to creating a firewall policy, my favourite
>> method at the moment is to use "ufw". It's in Debian as of squeeze.
>
> but not in lenny, so I looked for an online guide and found
> http://www.mista.nu/iptables/ amongst others, some seemed very
> complicated but I can almost understand what 'mista' generated:
>
> #!/bin/sh
>
> IPT="/sbin/iptables"
>
> # Flush old rules, old custom tables
> $IPT --flush
> $IPT --delete-chain
>
> # Set default policies for all three default chains
> $IPT -P INPUT DROP
> $IPT -P FORWARD DROP
> $IPT -P OUTPUT DROP
>
> Comment:
> This appears to remove any existing rules, setup defaults which
> match what I currently have, then create some new rules.
Pretty much. The last 3 lines set the policy to drop all packets,
which means that anything you haven't specifically allowed will be
silently ignored.
> # Enable free use of loopback interfaces
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
>
> # All TCP sessions should begin with SYN
> $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
>
> Comment:
> I don't know what the 'TCP sessions' line means but it may well be a
> good thing as is the loopback devices section.
As the comment says, all TCP sessions should begin with a SYN. This
rule enforces that. I'm not convinced it's necessary, but it should be
harmless.
> # Accept inbound TCP packets
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
> $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT
> $IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
>
> Comment:
> I presume I can change --dport 22 to my chosen port as set
> in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this
> system to further restrict ssh access.
0.0.0.0/0 means "every possible IP address". In the case of ssh you
could replace 0.0.0.0/0 with all the IP addresses you wish to ssh from
(-s means source address). Keep in mind that your home IP may be
dynamic and change and also try to remember other places you ssh from.
I personally don't bother restricting it at all, but I have password
authentication turned off, so dictionary attacks don't worry me much.
> I guess I need to open up http access to everyone to avoid blocking
> access to the webpages I have available.
Correct.
> I am not sure if I need the pop3 line. but I do use an @startx.co.uk
> email address on the server.
It depends if you're running a POP3 daemon on the server? Again, like
ssh you might want to restrict it to a set of known clients.
> # Accept outbound packets
> $IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
>
> Comment:
> I guess I need to allow outgoing packets
These rules only allow the server to make DNS queries and reply to
connections made to it. You might find that is a bit too restrictive,
as it won't for example, allow you to download package updates or talk
to the shared spamd. I have an ACCEPT policy on my OUTPUT rule.
> Do these rules look OK and are they sufficient?
They're a good start!
Cheers,
G
