Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Nick Khamis <symack@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPTables - Going Stateless
Date: Tue, 21 May 2013 16:41:05
Message-Id: CAGWRaZbqsOKtJ06s5toEu-9Qv1rb34QqeR1GsfY2+ka1pMEcsQ@mail.gmail.com
In Reply to: Re: [gentoo-user] IPTables - Going Stateless by Jarry
1 Hello Everyone,
2
3 Thank you so much for your responses. I agree Alan, total pain in the
4 neck!!! But it's a ticket that was passed down to me. We moved the
5 stateful firewalls inside the network, broken down to each department.
6
7 But as a first on site defense on our BGP router running Quagga, we
8 only require stateless for performance reasons. Jerry, thank you so
9 much! I might need some additional help with the three way handsahkes.
10 What I did to stay scalable was:
11
12 Define a chain:
13
14 -N TCP
15
16 Handle two way for a specific service:
17
18 -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
19 -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT
20 -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
21
22 Accepting Input and output requests to services included in the chain:
23
24 #echo -e " - Accepting input TCP traffic to open ports"
25 -A INPUT -i $INTIF1 -p tcp -j TCP
26
27 #echo -e " - Accepting output TCP traffic to open ports"
28 -A OUTPUT -o $INTIF1 -p tcp -j TCP
29
30 Dropping Everything Else:
31
32
33 #echo -e " - Dropping input TCP to closed ports"
34 $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
35
36 #echo -e " - Dropping output TCP traffic to closed ports"
37 $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
38
39 #echo -e " - Dropping input traffic to remaining protocols sent
40 to closed ports"
41 $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
42
43 #echo -e " - Dropping output traffic to remaining protocols sent
44 to closed ports"
45 $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
46
47 Hope this keeps me scalable enough to keep the world of pain at bay as
48 much as possible...
49
50 N.
Report Message
Find on MARC Find on Google Groups