Setting Your First Rules

Before we touch upon setting more specific rules, you need to set the default policy for the firewall and enable some state rules (see Listing 24-2).

LISTING 24-2

Setting Initial Firewall Rules

bible

~ # iptables

-P

INPUT DROP

bible

~ # iptables

-P

OUTPUT DROP

bible

~ # iptables

-P

FORWARD DROP

bible

~ # iptables

-A

INPUT -m state -

state ESTABLISHED.RELATED -j ACCEPT

bible:

~ # iptables

-A

FORWARD -m state

--state ESTABLISHED.RELATED -j ACCEPT

bible:

~ # iptables

-A

OUTPUT -m state -

-state NEW.ESTABLISHED.RELATED -j ACCEPT

Here, you have set the default policy for all chains to drop the packets. At this moment in time, all network connections, regardless of their originating address, will be dropped.

To set or change the policy of a chain, you need to specify that this is a policy edit (-P), the chain (INPUT, OUTPUT, or FORWARD), and also what to do with the packet.

It's a secure feeling knowing that any connection from the Internet that you do not need is dropped and the sender has to wait for a timeout before being notified. Imagine someone running a port scan of all 64,000 available ports on a TCP/IP machine. If the person running the port scan has to wait for a timeout on each port, it will take quite a few hours to complete the full scan. It provides a kind of tar pit for any malicious users.

This is also true for internal connections, too. If your users are interested in what they can and cannot connect to, without reading the network rules, then making them wait will, one hopes, deter them from pushing the network too hard.

You have also configured the stateful firewall with the -m state declaration. This tells the firewall that you will allow any established or related connections on the INPUT chain.

This may seem like quite a big security hole, but bear in mind that it will allow only a connection that has been established, not a new connection. For the stateful rules to kick in, you would have already had to allow a new connection through the chain.

Depending on how paranoid you are about security, you may not want to allow all new connections from the firewall itself. However, if you want to use the firewall machine as a server, or want to be able to "bounce" from the machine to other hosts without the burden of setting up new rules for every protocol or TCP port you want to connect to, it is quite useful.

At this point, your firewall is locked down with the exception of allowing outgoing connections.

Now, suppose you want to allow an incoming SSH connection to the firewall.

Was this article helpful?

0 0

Post a comment