- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- IPTABLES - RULES
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-11-2008 03:27 PM
тАО11-11-2008 03:27 PM
My task is to develop iptables rules for a small network. We have HTTP + VPN + Exchange + Active Directory. I've set the default INPUT policy to DROP and developed about 20 rules.
Now - my CTO says that there should be abould 1100 rules to start with.
I was playing with IPTABLES before but this is a compleatly new aproch to me.The problem is - he is usualy right.
Does anyone undersdand why so many rules in so small network ? Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.
Regards
Peter
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-12-2008 05:07 PM
тАО11-12-2008 05:07 PM
SolutionNo. In fact, depending of what you really need, only a few rules are needed. From the security point of view, with only one rule you can deny all incoming traffic, pretty secure.
>>> Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.
Probably, you should use shorewall. There are other tools like firestarter. I prefer shorewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-13-2008 12:19 AM
тАО11-13-2008 12:19 AM
Re: IPTABLES - RULES
Long an obnoxious firewall scripts are just harder to administrate.
I would say you're doing it just right. Put default drop policy on input and then set up exceptions for the things you want to do.
I would recommend that you look into hashlimits thou since it's a perfect way to lower the impact of a DDoS.
If you're just going to make a long long list of ports to be closed/opened a script could do this for you like this:
#!/bin/bash
for i in $(cat list-of-ports.ext); do
iptables blah blah blah :P
done
Normally (unless you run SuSE or the alike) the firewall scripts is just a bash script that runs in your init so doing bash commands isn't an issue :)
Hope my ranting gave anything :)
Best regards
Fredrik Eriksson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-13-2008 12:21 AM
тАО11-13-2008 12:21 AM
Re: IPTABLES - RULES
I would suggest you start by drawing a network and dataflow map of your network and decide which services and ports you wish to allow.
Next create a basic ruleset such as the one below, and then gradually add each service and (re)test:
#!/bin/sh
IPT=/sbin/iptables
$IPT -F
#policies
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -N SERVICES
#drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
#limit ping requests
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
#drop bogus packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES
#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT
Note: I lifted this script from the Linuxuser magazine, and if you search YouTube, you should find a series of videos explaning how this script works.
Good luck,
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-13-2008 07:52 AM - last edited on тАО04-15-2021 04:27 AM by Parvez_Admin
тАО11-13-2008 07:52 AM - last edited on тАО04-15-2021 04:27 AM by Parvez_Admin
Re: IPTABLES - RULES
Shalom,
http://fs-security.com/
I find this product substantially decreases the difficulty and manageability of these rules.
I use it to build firewall protected routers, exposed on the public internet. It has allowlist or denylist mode which makes it much easier to control access in a corporate environment.
Downside is its not been updated in a few years and it has no web based GUI configuration tool.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com