-
My iptables, how does this look?
First my setup:
Server: 10.10.10.80 (Debian Wheezy)
Workstation: 10.10.10.100 (Debian Wheezy)
Services needed for Server-Client comm:
Open SSH is on port 8000
NFS is on port 9000
The script below is for client only. Client does nothing but web browsing, open ssh, and nfs usage. Everything else should be blocked (inbound and outbound).
Here is the iptables script I have:
#!/bin/bash
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
#input
iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp --sport http -d 10.10.10.100 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -t filter -p udp --sport 53 -d 10.10.10.100 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp --sport https -d 10.10.10.100 -j ACCEPT
#output
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp --dport http -s 10.10.10.100 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p udp --dport 53 -s 10.10.10.100 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp --dport https -s 10.10.10.100 -j ACCEPT
#lan_input_wifi
iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp -s 10.10.10.80 --sport 8000 -d 10.10.10.100 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp -s 10.10.10.80 --sport 9000 -d 10.10.10.100 -j ACCEPT
#lan_output_wifi
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp -s 10.10.10.100 -d 10.10.10.80 --dport 8000 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp -s 10.10.10.100 -d 10.10.10.80 --dport 9000 -j ACCEPT
iptables -A INPUT -s 10.10.10.80 -j LOG --log-level 7 --log-prefix "INPUT"
iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Basically, I want to block everything (inbound and outbound) unless it is explicitly defined in the iptables script. How does the above rules look? Is there any security concerns?
-
Without a rule to accept loopback access ie. lo network services specific to the client like cups including the x server will not work. Looks like your input and output rules are reversed i.e. dport vs sport and new, established vs established.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|