Hello, I didn't work with iptables since more than 4 years and i was agreably surprise by the new function provided with iptables,
I'm currently using a computer with linux to do a Bridge Firewall, as my company have limited ressources i have put together some other service on it (apache, dansguardian). it give them a fairly secure network and should only allow some people to access internet.
Still i found some problem in my firewall where some people were still ablle to use web and messenger even with the set of rules i have put on it.
Here is my Forward rules and if any of you had a tips on it, it would be must wellcome:
iptables -P FORWARD ACCEPT
iptables -A FORWARD -j Icmp_Related_And_New -p icmp iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 25 iptables -A FORWARD -j LOG -p tcp -s $LOCALNET -d 202.72.104.1
--dport 110 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET dport
110 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET--dport 22 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 53 iptables -A FORWARD -j ACCEPT -p udp -s $LOCALNET -d $INTERNET
--dport 53 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 443 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 6667 iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 8383 iptables -A FORWARD -j r_drop
iptables -A r_drop -p tcp --dport 135:139 -j DROP iptables -A r_drop -p udp --dport 135:139 -j DROP iptables -A r_drop -p tcp --dport 445 -j DROP iptables -A r_drop -p tcp --dport 1433:1434 -j DROP iptables -A r_drop -j LOG iptables -A r_drop -j DROP
iptables -A Icmp_Related_And_New -p icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT iptables -A Icmp_Related_And_New -p icmp --icmp-type source-quench
-m state --state RELATED -j ACCEPT iptables -A Icmp_Related_And_New -p icmp --icmp-type parameter-problem -m state --state RELATED -j ACCEPT iptables -A Icmp_Related_And_New -p icmp --icmp-type time-exceeded
-m state --state RELATED -j ACCEPT iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A Icmp_Related_And_New -j LOG iptables -A Icmp_Related_And_New -j DROP
Thanks,