1 |
On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote |
2 |
|
3 |
> Once you've upgraded, you should be able to add all of your old --state |
4 |
> rules normally, albeit with a warning. The new iptables will translate |
5 |
> them to conntrack rules, and you can `/etc/init.d/iptables save` the result. |
6 |
> |
7 |
> The upgrade just fails in a horrible way. |
8 |
|
9 |
Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm |
10 |
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. |
11 |
However, I do have a backup dialup connection in case of problems, so |
12 |
most of my rules don't specify the network interface. A couple of |
13 |
notes... |
14 |
|
15 |
* My little lan is 192.168.123.248/29 |
16 |
* I have a TV tuner box that comes up in the zero-config space, so I |
17 |
have to allow 169.254.0.0/16 |
18 |
* I "dislike" a certain button following me. |
19 |
|
20 |
# Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012 |
21 |
*filter |
22 |
:INPUT DROP [0:0] |
23 |
:FORWARD DROP [0:0] |
24 |
:OUTPUT DROP [0:0] |
25 |
:DROP_LOG - [0:0] |
26 |
:FECESBOOK - [0:0] |
27 |
:ICMP_IN - [0:0] |
28 |
:PRIVATE - [0:0] |
29 |
:PRIVATE_LOG - [0:0] |
30 |
:TCP_IN - [0:0] |
31 |
:UDP_IN - [0:0] |
32 |
:UNSOLICITED - [0:0] |
33 |
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT |
34 |
[0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT |
35 |
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
36 |
[0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK |
37 |
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
38 |
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK |
39 |
[0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK |
40 |
[0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK |
41 |
[0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT |
42 |
[0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT |
43 |
[0:0] -A INPUT -i lo -j ACCEPT |
44 |
[0:0] -A INPUT -f -j LOG --log-prefix "FRAGMENTS:" --log-level 6 |
45 |
[0:0] -A INPUT -f -j DROP |
46 |
[0:0] -A INPUT -p tcp -j TCP_IN |
47 |
[0:0] -A INPUT -p udp -j UDP_IN |
48 |
[0:0] -A INPUT -p icmp -j ICMP_IN |
49 |
[0:0] -A INPUT -j LOG --log-prefix "BAD_PROTOCOL:" --log-level 6 |
50 |
[0:0] -A INPUT -j DROP |
51 |
[0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT |
52 |
[0:0] -A OUTPUT -o lo -j ACCEPT |
53 |
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT |
54 |
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT |
55 |
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT |
56 |
[0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG |
57 |
[0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG |
58 |
[0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG |
59 |
[0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG |
60 |
[0:0] -A OUTPUT -j ACCEPT |
61 |
[0:0] -A DROP_LOG -j LOG --log-level 6 |
62 |
[0:0] -A DROP_LOG -j DROP |
63 |
[0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 |
64 |
[0:0] -A FECESBOOK -j DROP |
65 |
[0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED |
66 |
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE |
67 |
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE |
68 |
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE |
69 |
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE |
70 |
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE |
71 |
[0:0] -A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6 |
72 |
[0:0] -A ICMP_IN -j DROP |
73 |
[0:0] -A PRIVATE -s 10.0.0.0/8 -j PRIVATE_LOG |
74 |
[0:0] -A PRIVATE -s 127.0.0.0/8 -j PRIVATE_LOG |
75 |
[0:0] -A PRIVATE -s 172.16.0.0/12 -j PRIVATE_LOG |
76 |
[0:0] -A PRIVATE -s 192.168.0.0/16 -j PRIVATE_LOG |
77 |
[0:0] -A PRIVATE -j ACCEPT |
78 |
[0:0] -A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6 |
79 |
[0:0] -A PRIVATE_LOG -j DROP |
80 |
[0:0] -A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG |
81 |
[0:0] -A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG |
82 |
[0:0] -A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE |
83 |
[0:0] -A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE |
84 |
[0:0] -A TCP_IN -p tcp -m conntrack --ctstate NEW -m tcp -j UNSOLICITED |
85 |
[0:0] -A TCP_IN -p tcp -j PRIVATE |
86 |
[0:0] -A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG |
87 |
[0:0] -A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG |
88 |
[0:0] -A UDP_IN -p udp -m udp --sport 53 -j PRIVATE |
89 |
[0:0] -A UDP_IN -p udp -m udp --sport 80 -j PRIVATE |
90 |
[0:0] -A UDP_IN -p udp -m conntrack --ctstate NEW -j UNSOLICITED |
91 |
[0:0] -A UDP_IN -p udp -j PRIVATE |
92 |
[0:0] -A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6 |
93 |
[0:0] -A UNSOLICITED -j DROP |
94 |
COMMIT |
95 |
# Completed on Thu Dec 27 22:43:12 2012 |
96 |
|
97 |
-- |
98 |
Walter Dnes <waltdnes@××××××××.org> |
99 |
I don't run "desktop environments"; I run useful applications |