Re: iptables problem forwarding

[Marco Thorbruegge <thorbruegge () cert dfn de>]

-----BEGIN PGP SIGNED MESSAGE-----

> iptables -t nat --flush

You do this twice. Why?

> #enable connection tracking
> iptables -I FORWARD -m state --state INVALID -j DROP
> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Looks good.

Why do you not put the same for INPUT and OUTPUT here?

> #allowing one service on this machine ssh
> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
> iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT

Whats that? Why UDP? Delete the second rule. And put a "-m state --state 
NEW" into the first one.

> iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
> iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

same here.

[...]

> # accept established connections
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT

You need the same thing for OUTPUT.

> iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
> LOG --log-prefix "new no-SYN: "

Put that somewhere at the beginning. Same thing for INPUT and OUTPUT 
(yes, OUTPUT too!).

> iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
> DROP

You can put -j LOG and -j DROP into one rule. Or create a dedicated 
chain for logging and dropping.

> iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state
> --state NEW -j LOG --log-prefix "New ACK: "

No Packet will match that rule. It will be matched by the 2 rules 
before.

> #enforcing TCP standards
> iptables -A INPUT -p tcp --tcp-option \! 2 -j
> LOG --log-tcp-options --log-prefix "TCP standards not met: "
> iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with
> tcp-reset iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour
> --limit-burst 500 --log-prefix "MIRROR: "
> iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour
> --limit-burst 500

I can not see the point in that ones.

BTW: MIRROR is evil.

> iptables -t nat -F
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
> iptables -P INPUT DROP

I thought you want to make DNAT!?

HTH (a little),
Marco
- -- 
Marco Thorbruegge        |              mailto:thorbruegge () cert dfn de
DFN-CERT GmbH            |          http://www.cert.dfn.de/team/matho/
Heidenkampsweg 41        |                    Phone: +49(40)808077-555
D-20097 Hamburg/Germany  |                      FAX: +49(40)808077-556
PGP-Key: 0xAE662425 Fingerpr.: 7E5C A77A F91D 63D1 02AB 9526 53FF F1A0 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iQEVAwUBPolBKXsh3gGuZiQlAQG3ygf+JQ02FY+Ca9DfU6iLWWU6Bk3EjVukFqVS
S2YvuxKkgrJ+kuAuNWAMQTw67aLk5ddSRl9mQothrzErSzmU7SC0kG/epx7JmLfb
5jyXFbqN52eEI09Uf61GkdQGqzMQomW7oL7saeoDMqHacJc5/Tw/eu24ktfg8KxV
c2zD7Id1Sth/tUs8NvUB7uhpzN7f0dKIiOjGnEvl+4ThZ0Q7EzbYdQtU2GC0yMGH
4YLE07oG6pZTvW6/fjNh6rpOUb6dceGn/i2msBO3FmM3rBh3PiipxiSfkKzMLOLw
Sio7nmkZFEz6c3csm95Tro53dPsM+Ktj/H/Z/9l8gjIOfgilKN7eMQ==
=90FZ
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards