Post iptables rules in newsgroup, bad idea?

I was told in that it's generally a bad idea to post one's iptables rules list on Usenet, that it's a security risk.

I'm not doing anything fancy, just trying to lock down all access except HTTP, SSH, and DNS, which I think is a pretty common thing for people to be doing.

What could a bad guy learn from looking at my rule set?

Unless I'm REALLY missing something (no surprise!), I'd like to post my rule set here for you experts to critic for me.

It's not a long rules list, currently about 80 lines including comments but it will be shorter than that when I get done.

Any problem if I post it here, after I get done with it?

Reply to
C. J. Clegg
Loading thread data ...

He could find flaws in your ruleset and (try to) exploit them. However, you can mitigate that risk (to a degree) by obfuscating or omitting public IP addresses, or by posting only snippets from it. After all you can't not post your ruleset if you want to discuss it. ^_^


Reply to
Ansgar -59cobalt- Wiechers

I agree, I don't think it is a problem to post it as long as you change/remove any identifying information from them. I also suggest not posting from a machine behind your firewall as it is quite easy to determine from what IP the post was made hence negating much of your work to hide your public IPs from the posted configs.

Ansgar -59cobalt- Wiechers wrote:

Reply to

As always, "that depends".

OK - DNS has to be on port 53, and is generally open to everyone. HTTP is generally on port 80, and may or may not be open to everyone. SSH defaults to 22. Who do you want to allow access to SSH? Everyone? (Why?) If so, thats one problem. Specific individuals well known to you? If so, there is nothing that absolutely requires SSH to be on port 22 (though moving it may run into others firewall complications - some administrators only allow outbound SSH to port 22). Also, there is rarely a valid reason to allow access to your SSH server from everywhere. You say you're "not doing anything fancy" - so you wouldn't be showing anything like portknocking ports - so it boils down to showing what any skript kiddiez would be able to find with a simple port-scan anyway.

As for the rest of the services, what can be so secret about '-j REJECT'?

If your rule set has errors, will someone tell you about it and you get it fixed before some skript kiddiez can try to exploit the error?

80 lines? Probably not a problem - are the comments necessary for other to understand something? But as you've also stated you are going to post them to, why not combine the posts by listing both newsgroups (comma separated) in the newsgroup header, and perhaps include a Followup-To: header - that way you're going to waste a bit less bandwidth.

If you've moved a service to a different port, you need not show the "real" port it's been moved to. If you are restricting access to certain IP ranges, you might consider showing those as RFC3330 ranges - is often used for that, is another, but there are still whole /8s that IANA hasn't released - see

formatting link
Old guy

Reply to
Moe Trin

Right. :-)

OK, please see the new "Sample iptables rules list, inviting your suggestions / criticisms" thread ... thanks. :-)

Reply to
C. J. Clegg

Good afternoon, Moe.

I figured the comments would be helpful so that others can understand my intent and tell me how my dumbo attempts to achieve that intent are doomed to failure. :-)

As for posting in c.o.l.s, I guess I should have done that in the manner you suggest, but for now I've just posted it here.

It ended up a shade over 80 lines (134 lines actually) with some added comments; it's in the new "Sample iptables rules list, inviting your suggestions / criticisms" thread. Hope it didn't get thoroughly trashed by newsreader reformatting... :-(

Reply to
C. J. Clegg Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.