Redirected here from the "Post iptables rules in newsgroups" and "What iptables rules to allow name service" threads...
Thanks to all of your help, I think I have what looks to me like a reasonable set of iptables rules to shut down unneeded access while allowing DNS to work to/from the name server that runs on that host.
Please take a look at the following and let me know of any suggestions or criticisms you may have ... thanks :-)
(DESPERATELY hoping that my newsreader, or yours, doesn't hopelessly hose the formatting in the following cut-and-paste...)
# Firewall configuration excerpt # # Based on the config file written by Fedora Core 2 # system-config-securitylevel (the one that says # "Manual customization of this file is not recommended.") # # This firewall only controls access to the machine on which it # runs. This machine does not serve as a router to provide # network access to other machines. # # Objectives: # Allow ftp, http, mail, and ping to and from everybody # Allow ssh to and from certain (trusted) hosts # (the firewall allows ssh from all # and access is controlled in hosts.allow/deny) # Disable telnet, rlogin, rsh, rexec, etc. # (all of which are turned off in xinetd.d anyway...) # Allow name service to and from the name server that # runs on this host (this is a "primary" name server that # also serves several "secondary" name servers) #
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] # Do I need this? See FORWARD chain below :OUTPUT ACCEPT [0:0] # ################################################################# # # Rule set for the INPUT chain # # Allow anything from the localhost #-A INPUT -i lo -j ACCEPT # # Allow any icmp (mostly ping ... should I restrict it to ping # only? What other kinds of ICMP are there that could be # intrusive or dangerous?) #
-A INPUT -p icmp --icmp-type any -j ACCEPT # # Allow ftp, ssh, mail, http, https. ssh access is restricted # in hosts.allow and hosts.deny. # # (NOTE: I don't need "-m tcp -p tcp", do I? # Isn't "-m tcp" implied by "-p tcp"? #
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # # Enable DNS for input #
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # # Silently drop everything else # # NOTE: Could I eliminate the "-A INPUT -j DROP" rule by just # changing the ":INPUT ACCEPT [0:0]" to ":INPUT DROP [0:0]" up at # the beginning of this rules list? #
-A INPUT -j DROP # ################################################################# # # Rule set for the FORWARD chain. # Everything gets silently dropped. # # NOTE: Do I even need this at all, or should I just eliminate # the FORWARD chain entirely, or change ":FORWARD ACCEPT [0:0]" # to ":FORWARD DROP [0:0]" up near the top of this list? # # /proc/sys/net/ipv4/ip_forward is set to 0. # # If I don't need this, then should I also eliminate the # ":FORWARD ACCEPT [0:0]" up near the top of this list? #
-A FORWARD -j DROP # ################################################################# # # Rule set for the OUTPUT chain. These mostly have to do with # logging although there is one DROP rule. # # Don't log things to the localhost #
-A OUTPUT -o lo -j RETURN # # Disable outbound telnet from local users # (this is the only DROP rule in the chain) #
-A OUTPUT -m state --state NEW -m tcp -p tcp --dport 23 -j DROP # # Enable DNS for output # # NOTE: The following three rules were recommended to me by # 59cobalt on comp.security.firewalls in order to get DNS to # work. However, everything in the OUTPUT chain is ACCEPTed by # default except for one specific DROP to disable telnet, noted # above, so I shouldn't need the following three rules at all, # right? #
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # # Don't log ping (or any ICMP), mail, http, https, X11-over-ssh, # or dns #
-A OUTPUT -p icmp --icmp-type any -j RETURN
-A OUTPUT -p tcp --sport 25 -j RETURN
-A OUTPUT -p tcp --dport 25 -j RETURN
-A OUTPUT -p tcp --dport 53 -j RETURN
-A OUTPUT -p udp --dport 53 -j RETURN
-A OUTPUT -p tcp --sport 80 -j RETURN
-A OUTPUT -p tcp --dport 80 -j RETURN
-A OUTPUT -p tcp --sport 443 -j RETURN
-A OUTPUT -p tcp --sport 6010 -j RETURN
-A OUTPUT -p tcp --dport 6010 -j RETURN # # Log everything else #
-A OUTPUT -j LOG # COMMIT