17 Mar
2010
17 Mar
'10
4:31 p.m.
On 16 March 2010 09:46, john lewis <zen57162(a)zen.co.uk> wrote:
On Mon, 15 Mar 2010 23:30:59 +0000
Graham Bleach <graham(a)darkskills.org.uk> wrote:
Pretty much. The last 3 lines set the policy to drop all packets,
which means that anything you haven't specifically allowed will be
silently ignored.
There are heaps of guides to creating a firewall
policy, my favourite
method at the moment is to use "ufw". It's in Debian as of squeeze.
but not in lenny, so I looked for an online guide and found
http://www.mista.nu/iptables/ amongst others, some seemed very
complicated but I can almost understand what 'mista' generated:
#!/bin/sh
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
Comment:
This appears to remove any existing rules, setup defaults which
match what I currently have, then create some new rules. # Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
Comment:
I don't know what the 'TCP sessions' line means but it may well be a
good thing as is the loopback devices section.
As the comment says, all TCP sessions should begin with a SYN. This
rule enforces that. I'm not convinced it's necessary, but it should be
harmless.
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
Comment:
I presume I can change --dport 22 to my chosen port as set
in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this
system to further restrict ssh access.
0.0.0.0/0 means "every possible IP address". In the case of ssh you
could replace 0.0.0.0/0 with all the IP addresses you wish to ssh from
(-s means source address). Keep in mind that your home IP may be
dynamic and change and also try to remember other places you ssh from.
I personally don't bother restricting it at all, but I have password
authentication turned off, so dictionary attacks don't worry me much.
I guess I need to open up http access to everyone to
avoid blocking
access to the webpages I have available.
Correct.
I am not sure if I need the pop3 line. but I do use an
@startx.co.uk
email address on the server.
It depends if you're running a POP3 daemon on the server? Again, like
ssh you might want to restrict it to a set of known clients.
# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
Comment:
I guess I need to allow outgoing packets
These rules only allow the server to make DNS queries and reply to
connections made to it. You might find that is a bit too restrictive,
as it won't for example, allow you to download package updates or talk
to the shared spamd. I have an ACCEPT policy on my OUTPUT rule.
Do these rules look OK and are they sufficient?
They're a good start!
Cheers,
G