Firewall Rules Help

Firewall Rules Help

[NICHOLAS KLINE]

Hi,

Thanks to everyone who constructively critiqued my previous firewall
rules and provided advice. After reading through all of the feedback,
I revised my firewall rules. I would appreciate it if you would please
critique them again.

The situation remains the same:
- laptop running desktop version of Ubuntu 8.x
- laptop will be used on either a private LAN or public network
- laptop will switch between wired and wireless network
- no server services will be running (HTTPD, FTP, etc.)

Remaining Questions:
1.) If I change from wired to wireless, will these rules still apply?


Revised Firewall Rules
-----------------------------

# Establish some variables:

# Location of IPTABLES on your system
IPTABLES="/sbin/iptables"


# SETUP:

# Flush active rules and custom tables
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush

$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
$IPTABLES -t mangle --delete-chain

# Give free reign to the loopback interfaces, i.e. local processes may connect
# to other processes' listening-ports.
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies for all chains.
# User-defined chains cannot be assigned default policies.
# NAT and mangle tables use default ACCEPT policies.
# DROP in nat table is prohibited in newer iptables.
# DROP in mangle table creates hassle.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


# INBOUND POLICY:

# Accept inbound packets that are part of previously-OK'ed sessions
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log and drop anything not accepted above
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"


# OUTBOUND POLICY:
# Allow all outbound traffic.


# Log & drop ALL incoming packets destined anywhere but here.
$IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped
by default:"

--- End of rules ---

Re: Firewall Rules Help

[Mart Frauenlob]

NICHOLAS KLINE wrote:
> Hi,
>
> Thanks to everyone who constructively critiqued my previous firewall
> rules and provided advice. After reading through all of the feedback,
> I revised my firewall rules. I would appreciate it if you would please
> critique them again.
>
> The situation remains the same:
> - laptop running desktop version of Ubuntu 8.x
> - laptop will be used on either a private LAN or public network
> - laptop will switch between wired and wireless network
> - no server services will be running (HTTPD, FTP, etc.)
>
> Remaining Questions:
> 1.) If I change from wired to wireless, will these rules still apply?
>   

Of course they will apply, the question is whether they work as you want 
;-).
But from my point of view they should fulfill your described goal, as 
you do not use IP addresses, or interfaces (which could change) in your 
ruleset.
>
> Revised Firewall Rules
> -----------------------------
>
> # Establish some variables:
>
> # Location of IPTABLES on your system
> IPTABLES="/sbin/iptables"
>
>
> # SETUP:
>
> # Flush active rules and custom tables
> $IPTABLES --flush
> $IPTABLES -t nat --flush
> $IPTABLES -t mangle --flush
>
> $IPTABLES --delete-chain
> $IPTABLES -t nat --delete-chain
> $IPTABLES -t mangle --delete-chain
>
> # Give free reign to the loopback interfaces, i.e. local processes may connect
> # to other processes' listening-ports.
> $IPTABLES -A INPUT  -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>   
This output rule is not needed, as the policy will allow.
> # Set default policies for all chains.
> # User-defined chains cannot be assigned default policies.
> # NAT and mangle tables use default ACCEPT policies.
> # DROP in nat table is prohibited in newer iptables.
> # DROP in mangle table creates hassle.
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
>
>
> # INBOUND POLICY:
>
> # Accept inbound packets that are part of previously-OK'ed sessions
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Log and drop anything not accepted above
> $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
>
>
> # OUTBOUND POLICY:
> # Allow all outbound traffic.
>
>
> # Log & drop ALL incoming packets destined anywhere but here.
> $IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped
> by default:"
>
> --- End of rules ---
>   

Your logs will eventually grow fast, think of using the 'limit' 
extension for logging.

Greets

Mart