[wplug] iptables sanity check

Drew from Zhrodague drewzhrodague at zhrodague.net
Thu Dec 23 14:17:55 EST 2010 

	Looks okay to me. Does it work? You can test with nmap from an outside 
host.

	Also, I suggest installing an sshblock script to keep the brute forcers 
out.


On 12/23/10 1:51 PM, Chris Romano wrote:
> It's been a long time since I had to work with iptables and want to
> make sure that I'm not missing anything.  Are there any glaring issues
> with the below?  I pieced together some things.  This server right now
> just needs to host ssh, xmpp, and apache
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     esp  --  anywhere             anywhere
> ACCEPT     ah   --  anywhere             anywhere
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:xmpp-client
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:xmpp-server
> REJECT     all  --  anywhere             anywhere
> reject-with icmp-host-prohibited
>
> Actual rules:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5269 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
>
> Any help would be greatly appreciated.
>
> Thanks,
> Chris


-- 

Drew from Zhrodague		http://www.WiFiMaps.com
drew at zhrodague.net		http://www.pghwireless.net
http://zhrodague.net		http://dorkbot.org/dorkbotpgh
				http://www.hackpittsburgh.org

More information about the wplug mailing list