-1

UPDATE

Boy am I glad I asked. OK, I'll try again and post another question.

I'd like to set up a CentOS 5.3 host to allow only ping, ssh, httpd, and SSL connections.

After reading a tutorial and attempting to create a config here's where I'm at...

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

It looks to me as though I've accomplished my goal, but I thought I would double check with the experts here.

Anything look drastically wrong?

Community
  • 1
Agvorth
  • 2,449

3 Answers3

3

your policies (except output) should be set to drop (the following code assumes no rules in place)

start with this


iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

now add any other services that you may need listening on an interface


iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

don't use reject unless you limit it... remember for every packet sent that's rejected one will be sent back this can create a lot of traffic. I say just don't use it

I've got a thing I wrote for desktop usage here

xenoterracide
  • 1,596
2

It looks like you are set to deny anything trying to use TCP to communicate with the local host. I would avoid that, because there are several legitimate things[citation needed] that would be prevented by that.

Kevin M
  • 2,322
1

The only thing drastically wrong is that you're blocking ICMP. Very very bad idea. This breaks PMTU discovery. Just let ICMP through.

I'm assuming you've just added this in for testing, but:

ACCEPT     all  --  anywhere             anywhere

allows all traffic. So, this ruleset does nothing.

You're also breaking:

  • internal services talking on loopback (rule should say "packets not coming in on lo")
  • ping replies (let ICMP through!)

Suggestions:

  • Why not add state NEW to your dpt:http and dpt:https as well?
MikeyB
  • 40,079