[wplug] iptables sanity check
Drew from Zhrodague
drewzhrodague at zhrodague.net
Thu Dec 23 14:17:55 EST 2010
Looks okay to me. Does it work? You can test with nmap from an outside
host.
Also, I suggest installing an sshblock script to keep the brute forcers
out.
On 12/23/10 1:51 PM, Chris Romano wrote:
> It's been a long time since I had to work with iptables and want to
> make sure that I'm not missing anything. Are there any glaring issues
> with the below? I pieced together some things. This server right now
> just needs to host ssh, xmpp, and apache
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:xmpp-server
> REJECT all -- anywhere anywhere
> reject-with icmp-host-prohibited
>
> Actual rules:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5269 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
>
> Any help would be greatly appreciated.
>
> Thanks,
> Chris
--
Drew from Zhrodague http://www.WiFiMaps.com
drew at zhrodague.net http://www.pghwireless.net
http://zhrodague.net http://dorkbot.org/dorkbotpgh
http://www.hackpittsburgh.org
More information about the wplug
mailing list