| 1 |
>> Dude, trying to use iptables directly was your first mistake. |
| 2 |
> no, it wasn't. |
| 3 |
> |
| 4 |
> I have written some "small" example script |
| 5 |
> http://forums.gentoo.org/viewtopic.php?p=377447 |
| 6 |
> that (IMO) is quite modular... |
| 7 |
|
| 8 |
Yes, Timo, it is quite modular and quite thorough. It represents a great |
| 9 |
job at developing a general set of rules. |
| 10 |
|
| 11 |
But I would raise the following issues: |
| 12 |
|
| 13 |
1. FTP support: You've allowed for the active ftp protocols on ports 20 & |
| 14 |
21, but what about passive? This traffic will usually be on the higher |
| 15 |
ports (typically a range specified in the configuration for the ftp daemon). |
| 16 |
I do believe that if the ftp daemon tries to open a passive connection |
| 17 |
outbound it's going to get knocked off at the knees. |
| 18 |
|
| 19 |
2. Measure the checks: The more checks that a packet goes through, the |
| 20 |
longer it will take to travel through the iptables stack. Your script has a |
| 21 |
lot of checks in it. Consider a pgp packet as it traverses all of the |
| 22 |
chains etc. that you've specified. You're probably looking at 30+ checks at |
| 23 |
least (although I haven't counted each individual check, but I'm confident |
| 24 |
it is quite a large number). That's a significant number of hops and means |
| 25 |
the packet is going to be hanging around on the box a lot longer than what |
| 26 |
it really should. |
| 27 |
|
| 28 |
3. No detail on why the checks are ordered in the way they are (is there an |
| 29 |
order?): As #2 indicates, the increased number of checks that a packet |
| 30 |
needs to be pushed through means it will hang around on the box longer. |
| 31 |
Therefore they should be ordered to give priority to either a) heavily used |
| 32 |
ports or b) ports you want to have processed sooner rather than later. |
| 33 |
|
| 34 |
4. No reason for accepting specific outbound traffic: I tend to prefer |
| 35 |
allowing all outbound traffic and filter on those ports that shouldn't be |
| 36 |
going outbound (i.e. dhcp responses, dns responses, ipp packets, windows |
| 37 |
networking stuff, known trojan/virus ports). It greatly reduces the number |
| 38 |
of checks outbound traffic needs to go through. |
| 39 |
|
| 40 |
Obviously to improve the throughput you'd have to alter the script to use |
| 41 |
multiple ports on accept lines. Once you start doing that, though, you lose |
| 42 |
the modularity that you've built into the script. |
| 43 |
|
| 44 |
The point that needs to be made is that there is no 'one iptables script |
| 45 |
fits all'. Each site, each box for that matter, has it's own set of |
| 46 |
services and it's own usage criteria. To that end the iptables rules will |
| 47 |
(should) always vary from box to box, whether it is a server, a desktop, a |
| 48 |
gateway, or some combination of the three. |
| 49 |
|
| 50 |
New users looking to get their boxen online grab scripts like this thinking |
| 51 |
they are going to secure it for them, yet they don't understand the nuances |
| 52 |
of the individual rules nor how they are grouped. How many folks that grab |
| 53 |
the script are going to know what the teamspeak or pgp ports are for and |
| 54 |
whether they need them or not? How many are going to know that they've |
| 55 |
exposed their system to incoming teamspeak packets, whether they have |
| 56 |
teamspeak or not? |
| 57 |
|
| 58 |
-- |
| 59 |
gentoo-user@g.o mailing list |
Archives