[NCLUG] Firewall question

Sean Roberts sean.roberts at attbi.com
Fri May 17 08:16:50 MDT 2002 

On Friday May 17 2002 12:53am, Marcio Luis Teixeira wrote:
> I sort of figured out a quick answer to the question I posted earlier. I
> added this to my iptables config script:
>
>    /sbin/iptables -A INPUT -i eth1 -d 0/0 -p all -j REJECT

This has the same effect as setting the default policy to REJECT,
however it is more retricting.  Try instead:

/sbin/iptables -P INPUT REJECT

This makes the default policy for the input chain REJECT.

(By the way it is generally better to use the DROP target.
With the REJECT target the firewall will send a message back to
the remote machine that it could not connect, and although
no connection will be made the remote machine will know you are there.  The
DROP target just ignores the incomming connection and the remote
machine will never realize you are there.)

By setting the default policy to DROP you can now add explicit policies to 
allow certain connections.  For example

/sbin/iptables -A INPUT -i eth1 -p tcp -d 0/0 --destination-port 22 -j ACCEPT

This will allow connections to port 22.

For a firewall machine this is not a good idea.  I would suggest you don't 
allow any external connections to the firewall.  You can still get it to talk 
to the external world wth

/sbin/iptables -A INPUT -i eth1 -p all -d 0/0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

This will allow you to make a connection to the outside world and receive all
return communications, but will not allow others to connect.

Your input chain for the external interface should look something like:

/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p all -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p all -d 0/0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -s 123.456.7.890 -d 0/0 
--destination-port 22 -j ACCEPT

The first rule sets the default policy to DROP
The second rule allows unlimited traffic on the loopback device.
The third rule allow unlimited traffic to the firewall from the internal 
network.
The forth rule allows established traffic from the external world.
The fifth rule is an example of an optional rule to allow a very specific 
connection - namely only ssh traffic from 123.456.7.890.

Good luck

Sean Roberts

More information about the NCLUG mailing list