RE: Basic rules for IPTABLES protection

["Michael Sconzo" <msconzo () tamu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You should block ALL private IP ranges, both ingress and egress from
your firewall.
This also entails 192.168.0.0/16 and 172.16.0.0/12 including the
10.0.0.0/8.  Other good things to block:
Internal IPs on the exteral interface
127.0.0.0/8 (loopback) on internal or external interfaces
You could also filter ICMP inbound and outbound
Also, make sure to only allow the necessary inbound/outbound ports.

A good rule of thumb is that which is not explicitly allowed should
be denied.

This is by no means a comprehensive list of things to filter but its
a good starting set.

- -Mike

- -----Original Message-----
From: Erick Arturo Perez Huemer [mailto:eperez () compuservice net]
Sent: Saturday, November 23, 2002 12:28 AM
To: security-basics () securityfocus com
Subject: Basic rules for IPTABLES protection


I am about to install a RedHat 8.0 box with iptables to act as our
firewall for our internal network that consists of 20 machines.

Besides doing a -j drop on our external interface when receives a
packet
with source equal to our internal network, what other measures we
have
to take?

We do host an SMTP server but nothing else. I have read about
blocking
10.x.x.x addresses but also read that "some" routers/sites use those
addresses. Any anti-DoS rules? More settings?

Or maybe a link to a site that offers suggestion for proper firewall
configurations....

Thanks in advance,

Erick.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPeKlcC76iJsaBRvcEQJo7ACgiHb0SiP3rSd1GKhPFiAcSMyuE98AniUc
gOFlS+5ZAUFPC9YDf+33tLpr
=YYwj
-----END PGP SIGNATURE-----