My iptables, how does this look?


Results 1 to 2 of 2

Thread: My iptables, how does this look?

  1. #1
    Join Date
    Feb 2014
    Posts
    1

    My iptables, how does this look?

    First my setup:
    Server: 10.10.10.80 (Debian Wheezy)
    Workstation: 10.10.10.100 (Debian Wheezy)

    Services needed for Server-Client comm:
    Open SSH is on port 8000
    NFS is on port 9000

    The script below is for client only. Client does nothing but web browsing, open ssh, and nfs usage. Everything else should be blocked (inbound and outbound).

    Here is the iptables script I have:
    #!/bin/bash
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    #input
    iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp --sport http -d 10.10.10.100 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED -t filter -p udp --sport 53 -d 10.10.10.100 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp --sport https -d 10.10.10.100 -j ACCEPT

    #output
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp --dport http -s 10.10.10.100 -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p udp --dport 53 -s 10.10.10.100 -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp --dport https -s 10.10.10.100 -j ACCEPT

    #lan_input_wifi
    iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp -s 10.10.10.80 --sport 8000 -d 10.10.10.100 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED -t filter -p tcp -s 10.10.10.80 --sport 9000 -d 10.10.10.100 -j ACCEPT

    #lan_output_wifi
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp -s 10.10.10.100 -d 10.10.10.80 --dport 8000 -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED -t filter -p tcp -s 10.10.10.100 -d 10.10.10.80 --dport 9000 -j ACCEPT

    iptables -A INPUT -s 10.10.10.80 -j LOG --log-level 7 --log-prefix "INPUT"
    iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "OUTPUT"

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP



    Basically, I want to block everything (inbound and outbound) unless it is explicitly defined in the iptables script. How does the above rules look? Is there any security concerns?

  2. #2
    Join Date
    May 2002
    Posts
    1,228
    Without a rule to accept loopback access ie. lo network services specific to the client like cups including the x server will not work. Looks like your input and output rules are reversed i.e. dport vs sport and new, established vs established.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •