Martin Peikert
Hi all,
I want to set up a firewall to secure my private network. This network includes about 5-6 computers running linux and windows os. I decided to use netfilter (iptables) with the new 2.4.2 kernel which I compiled on my pentium today. Now I have a question about the new iptables and the connection tracking module: I want to set a default policy for all chains (at first INPUT,OUTPUT and FORWARD) to DENY. Now for example I want to allow a ssh connection from the internet to my firewall. (I want the firewall to be the gate to my local linux computers. I mean, if anyone wants to ssh to my private computers, he only can get a connection if he first connects to the firewall, and then connect to the target computer in my network.) Is this a good idea ?
I do not think so. On your firewall only those services should run that are required for the firewall. If you really need to allow ssh to your internal network from an untrusted net, try portforwarding to _one_ machine in your internal network, but _not_ to the firewall. Then your users can login to that machine, but I would not give them a normal shell on that computer, only ssh to other machines... --> I definately and strongly agree. giving ppl accounts on your firewall renders the thing quite useless, heh.
So I don't have to allow ssh to any of my computers in the local net. Only to the firewall! What do you think about this? Now the problem: If I use connection tracking for ssh.
iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT
In this rule I would accept all connections coming from internet to my firewall at port 22 and all packets in relation with this connect. Right?! Should I now add a rule to the OUTPUT chain too, or is any outgoing connection in relation with the ssh rule INPUT above accepted now?
No. You need an additional rule for OUTPUT. But, as said above, I do not think that this would be a good idea. If you want to secure your private network, do not allow ssh from outside. --> hmm. Isnt the RELATED option used in conjunction with stateful protocols like FTP and not necessary for stateless TCP connections (telnet, ssh, ntp, http etc ...)? mesa not sure cuz I just got my SuSE 7.1 an am now putting the thing on my firewall. Netfilter rules; they say. YAY. time to get a grip :D --> Cheers Chris HTH Martin -- martin.peikert@innominate.com innominate AG the linux architects tel: +49-30-308806-0 fax: -77 http://www.innominate.com --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com