Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
AW: AW: [suse-security] block forged packets with iptables
> Sounds like your default policy is ACCEPT...
> but some more information could be very helpfull.

Hi Ruediger,
this is my rule set for normal server operation. I'm not a real iptables
or network expert, but from my point of view it must be work. I can't
see a reason why not.

Thanks
Oliver Krapp


iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -A OUTPUT -j DROP -d xxx.xxx.xxx.xxx
iptables -A OUTPUT -j DROP -s xxx.xxx.xxx.xxx
iptables -A INPUT -j DROP -d xxx.xxx.xxx.xxx
iptables -A INPUT -j DROP -s xxx.xxx.xxx.xxx
iptables -A FORWARD -j DROP -d xxx.xxx.xxx.xxx
iptables -A FORWARD -j DROP -s xxx.xxx.xxx.xxx

iptables -A INPUT -j LOG --log-level 6 --log-prefix "INVALID PACKET: "
-p tcp -d alster -m state --state INVALID
iptables -A INPUT -j DROP -p tcp -d alster -m state --state INVALID

iptables -A INPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED


iptables -A INPUT -j LOG --log-level 6 --log-prefix "SSH Connection: "
-p tcp -d alster --dport 22 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp -d alster --dport 22 -m state
--state NEW

iptables -A INPUT -j LOG --log-level 6 --log-prefix "Tunnel Connection:
" -p tcp -s 212.121.145.243 -d alster --dport 1222 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp -s 212.121.145.243 -d alster --dport
1222 -m state --state NEW

iptables -A OUTPUT -j ACCEPT -p udp -s 212.172.222.222 --dport 53
iptables -A INPUT -j ACCEPT -p udp -d 212.172.222.222 --sport 53

iptables -A INPUT -j ACCEPT -p tcp -d alster --dport 25 -m state --state
NEW iptables -A OUTPUT -j ACCEPT -p tcp -s alster --dport 25 -m state
--state NEW

iptables -A INPUT -j ACCEPT -p tcp -d alster --dport 80 -m state --state
NEW iptables -A OUTPUT -j ACCEPT -p tcp -s alster --dport 80 -m state
--state NEW

iptables -A OUTPUT -j ACCEPT -p tcp -s alster --dport 113 -m state
--state NEW

iptables -A INPUT -j LOG --log-level 6 --log-prefix "POP3 Connection: "
-p tcp -s ! 62.156.160.60 -d alster --dport 110 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp -d alster --dport 110 -m state
--state NEW

iptables -A INPUT -j ACCEPT -p icmp --icmp-type echo-request -m limit
--limit 5/s
iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply -m limit
--limit 5/s

iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-request -m limit
--limit 5/s
iptables -A INPUT -j ACCEPT -p icmp --icmp-type echo-reply -m limit
--limit 5/s

iptables -A INPUT -j ACCEPT -p icmp --icmp-type destination-unreachable
-m limit --limit 10/s
iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type destination-unreachable
-m limit --limit 10/s

iptables -A INPUT -j ACCEPT -p icmp --icmp-type source-quench -m limit
--limit 10/s
iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type source-quench -m limit
--limit 10/s

iptables -A INPUT -j ACCEPT -p icmp --icmp-type time-exceeded -m limit
--limit 10/s
iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type time-exceeded -m limit
--limit 10/s

iptables -A INPUT -j DROP -p tcp --dport 135:139
iptables -A INPUT -j DROP -p udp --dport 135:139

iptables -A INPUT -j DROP -p udp --dport 67:68

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -j ACCEPT -p udp --dport 33000:34000

iptables -A INPUT -j LOG --log-level 6 --log-prefix "FTP Connection: "
-p tcp -d alster --dport 21 -m state --state NEW
iptables -A INPUT -j ACCEPT -p tcp --dport 21 -d alster -m state --state
NEW

iptables -A OUTPUT -j LOG --log-level 6 --log-prefix "FTP Connection: "
-p tcp -s alster --dport 21 -m state --state NEW
iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -s alster -m state
--state NEW

iptables -A OUTPUT -j ACCEPT -p udp --dport 123 --sport 123 -s alster -d
131.188.3.221
iptables -A INPUT -j ACCEPT -p udp --dport 123 --sport 123 -s
131.188.3.221 -d alster

iptables -A INPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p tcp -d alster
iptables -A INPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p udp -d alster
iptables -A INPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p icmp -d alster

iptables -A OUTPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p tcp -s alster
iptables -A OUTPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p udp -s alster
iptables -A OUTPUT -j LOG --log-level 6 --log-prefix "PACKET dropped: "
-p icmp -s alster


< Previous Next >
References