Re: [TCLUG:16582] Firewalls revisited...

[Scott Dier - dieman <dieman@ringworld.org>]

On Mon, 24 Apr 2000, ^chewie wrote:

> 	DON'T set the default policy to DENY.
> 	(e.g. ipchains -P input DENY)
Actually, do, but dont miss any packets with the below rule :)

> 	Append a LAST rule in the input, output, and forward chains that DENY
> 	and log any missed packets instead...

I have a LDROP chain that i put just after my drops...

# excerpts from my iptables setup script

$IPTABLES --new LDROP 2>/dev/null
$IPTABLES -A LDROP --proto tcp -j LOG --log-level info \
                                           --log-prefix "TCP Drop "
echo -n "."
$IPTABLES -A LDROP --proto udp -j LOG --log-level info \
                                           --log-prefix "UDP Drop "
echo -n "."
$IPTABLES -A LDROP --proto icmp -j LOG --log-level info \
                                           --log-prefix "ICMP Drop "
echo -n "."
$IPTABLES -A LDROP --proto gre -j LOG --log-level info \
                                           --log-prefix "GRE Drop "
echo -n "."
$IPTABLES -A LDROP -f -j LOG --log-level emerg \
                                  --log-prefix "FRAGMENT Drop"
echo -n "."
$IPTABLES -A LDROP -j DROP
echo -n "."

$IPTABLES -A INPUT --src $LOCALIP -i ! lo -j LDROP

# I have a whole ton of icmp rules here too.

echo -n "Logging rules"
# Who cares about cifs lookups
$IPTABLES -A INPUT --proto udp --dport 137:138 -j DROP
$IPTABLES -A OUTPUT --proto udp --dport 137:138 -j DROP
$IPTABLES -A INPUT --proto udp --dport 67:67 -j DROP
echo -n "."

# Same goes for irc server paranoia.
$IPTABLES -A INPUT --proto tcp --syn --dport 1080 -j DROP 
echo -n "."

# Log anything else"
$IPTABLES -A INPUT -i ! lo --proto tcp --syn --j LDROP
echo -n "."

# Log low port UDP
$IPTABLES -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP
echo -n "."

RPC_UDP=`rpcinfo -p localhost|perl -n -e '/.*udp\s+(\d+)\s+/ && print
$1,"\n"'|s
ort -u`
for port in $RPC_UDP; do
  $IPTABLES -A INPUT -i ! lo --proto udp --dport $port -j LDROP
done 
echo -n "."

echo "Done"


ask if you want the whole script.  I use state based filtering to deal
with it too :)

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

whee!

-- 
Scott Dier <dieman@ringworld.org> #nicnac@efnet 612.301.0265
http://www.ringworld.org/  finger:dieman@destiny.ringworld.org

Wait. Watch. Wonder.
	-J