Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Nick Khamis <symack@×××××.com>
To: gentoo-user <gentoo-user@l.g.o>
Subject: [gentoo-user] IPTables - Going Stateless
Date: Tue, 21 May 2013 15:07:51
Message-Id: CAGWRaZY=pcySQ0uDADXx=wEiqf9RinGtBz3rVYxXuxuSy+vThA@mail.gmail.com
1 Hello Everyone,
2
3 We recently moved our stateful firewall inside, and would like to
4 strip down the firewall at our router connected to the outside world.
5 The problem I am experiencing is getting things to work properly
6 without connection tracking. I hope I am not in breach of mailing list
7 rules however, a stripped down configuration is as follows:
8
9 #!/bin/bash
10 IPTABLES='/sbin/iptables'
11
12 #Set interface values
13 INTIF1='eth0'
14
15 #flush rules and delete chains
16 $IPTABLES -F
17 $IPTABLES -X
18
19 #echo -e " - Accepting input lo traffic"
20 $IPTABLES -A INPUT -i lo -j ACCEPT
21
22 #echo -e " - Accepting output lo traffic"
23 $IPTABLES -A OUTPUT -o lo -j ACCEPT
24
25 #echo -e " - Defined Chains"
26 $IPTABLES -N TCP
27 $IPTABLES -N UDP
28
29 #echo -e " - Accepting SSH Traffic"
30 $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
31 --dport 22 -j ACCEPT
32 $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
33
34 #echo -e " - Accepting input TCP and UDP traffic to open ports"
35 $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
36 $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
37
38 #echo -e " - Accepting output TCP and UDP traffic to open ports"
39 $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
40 $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
41
42 #echo -e " - Dropping input TCP and UDP traffic to closed ports"
43 # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
44 # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
45 icmp-port-unreachable
46
47 #echo -e " - Dropping output TCP and UDP traffic to closed ports"
48 # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
49 # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
50 icmp-port-unreachable
51
52 #echo -e " - Dropping input traffic to remaining protocols sent
53 to closed ports"
54 # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
55
56 #echo -e " - Dropping output traffic to remaining protocols sent
57 to closed ports"
58 # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
59
60
61 Everything works fine with the REJECT rules commented out, but when
62 included SSH access is blocked out. Not sure why, isn't the sequence
63 correct (i.e., the ACCPET entries before the DROP and REJECT)?
64
65 Also, any pointers or heads up when going stateless would be greatly
66 appreciated.
67
68 Kind Regards,
69
70 Nick

Replies

Subject Author
Re: [gentoo-user] IPTables - Going Stateless Alan McKinnon <alan.mckinnon@×××××.com>
Re: [gentoo-user] IPTables - Going Stateless Jarry <mr.jarry@×××××.com>
Report Message
Find on MARC Find on Google Groups