1 |
>> Dude, trying to use iptables directly was your first mistake. |
2 |
> no, it wasn't. |
3 |
> |
4 |
> I have written some "small" example script |
5 |
> http://forums.gentoo.org/viewtopic.php?p=377447 |
6 |
> that (IMO) is quite modular... |
7 |
|
8 |
Yes, Timo, it is quite modular and quite thorough. It represents a great |
9 |
job at developing a general set of rules. |
10 |
|
11 |
But I would raise the following issues: |
12 |
|
13 |
1. FTP support: You've allowed for the active ftp protocols on ports 20 & |
14 |
21, but what about passive? This traffic will usually be on the higher |
15 |
ports (typically a range specified in the configuration for the ftp daemon). |
16 |
I do believe that if the ftp daemon tries to open a passive connection |
17 |
outbound it's going to get knocked off at the knees. |
18 |
|
19 |
2. Measure the checks: The more checks that a packet goes through, the |
20 |
longer it will take to travel through the iptables stack. Your script has a |
21 |
lot of checks in it. Consider a pgp packet as it traverses all of the |
22 |
chains etc. that you've specified. You're probably looking at 30+ checks at |
23 |
least (although I haven't counted each individual check, but I'm confident |
24 |
it is quite a large number). That's a significant number of hops and means |
25 |
the packet is going to be hanging around on the box a lot longer than what |
26 |
it really should. |
27 |
|
28 |
3. No detail on why the checks are ordered in the way they are (is there an |
29 |
order?): As #2 indicates, the increased number of checks that a packet |
30 |
needs to be pushed through means it will hang around on the box longer. |
31 |
Therefore they should be ordered to give priority to either a) heavily used |
32 |
ports or b) ports you want to have processed sooner rather than later. |
33 |
|
34 |
4. No reason for accepting specific outbound traffic: I tend to prefer |
35 |
allowing all outbound traffic and filter on those ports that shouldn't be |
36 |
going outbound (i.e. dhcp responses, dns responses, ipp packets, windows |
37 |
networking stuff, known trojan/virus ports). It greatly reduces the number |
38 |
of checks outbound traffic needs to go through. |
39 |
|
40 |
Obviously to improve the throughput you'd have to alter the script to use |
41 |
multiple ports on accept lines. Once you start doing that, though, you lose |
42 |
the modularity that you've built into the script. |
43 |
|
44 |
The point that needs to be made is that there is no 'one iptables script |
45 |
fits all'. Each site, each box for that matter, has it's own set of |
46 |
services and it's own usage criteria. To that end the iptables rules will |
47 |
(should) always vary from box to box, whether it is a server, a desktop, a |
48 |
gateway, or some combination of the three. |
49 |
|
50 |
New users looking to get their boxen online grab scripts like this thinking |
51 |
they are going to secure it for them, yet they don't understand the nuances |
52 |
of the individual rules nor how they are grouped. How many folks that grab |
53 |
the script are going to know what the teamspeak or pgp ports are for and |
54 |
whether they need them or not? How many are going to know that they've |
55 |
exposed their system to incoming teamspeak packets, whether they have |
56 |
teamspeak or not? |
57 |
|
58 |
-- |
59 |
gentoo-user@g.o mailing list |