Security and Technology Ramblings…

Ok, so maybe this is not the “perfect” IP Tables config, but rather a work in progress. Let me know if you see anything you would change. Yeah, I know there are parts that would be customized based on your specific install. I’m looking for general things.


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DUMP - [0:0]
:STATEFUL - [0:0]

# DUMP
-A DUMP -p tcp -j LOG
-A DUMP -p udp -j LOG
-A DUMP -p tcp -j REJECT --reject-with tcp-reset
-A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
-A DUMP -j DROP

# Stateful table
-I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
-A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
-A STATEFUL -j DUMP

# loopback rules
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# drop reserved addresses incoming (these are reserved addresses
# but may change soon
-A INPUT -i eth0 -s 0.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 1.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 2.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 5.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 7.0.0.0/8 -j DUMP
#-A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 23.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 27.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 31.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 36.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 39.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 41.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 42.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 58.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 59.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 60.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
-A INPUT -i eth0 -s 169.254.0.0/16 -j DUMP
#-A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
#-A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
-A INPUT -i eth0 -s 197.0.0.0/8 -j DUMP
#-A INPUT -i eth0 -s 224.0.0.0/3 -j DUMP
-A INPUT -i eth0 -s 240.0.0.0/8 -j DUMP

#set iptables to allow everything from my work network
#sbin/iptables -A INPUT -i eth1 -p all -s 160.86.0.0/16 -j ACCEPT
#sbin/iptables -A INPUT -i eth1 -p all -j DROP

# allow certain inbound ICMP types (ping, traceroute..)
-A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

# Drop all packets to port 111 except those from localhost
-A INPUT -s ! 127.0.0.0/8 -p tcp --dport 111 -j DROP

# kill off identd quick 
-A INPUT -p tcp -i eth0 --dport 113 -j REJECT --reject-with tcp-reset

# sfs
#-A INPUT -p tcp -i eth0 --dport 4  -j ACCEPT
# ftp
#-A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
# ssh
-A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
# www
#-A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# https
#-A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
-A INPUT -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT

# Don't log route packets coming from routers - too much logging
#-A INPUT -p udp -i eth0 --dport 520 -j REJECT

# Don't log smb/windows sharing packets - too much logging
#-A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
#-A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
COMMIT

Leave a Reply