iptables SECURITY - default settings
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Thu Sep 9 15:30:32 UTC 2004
Am Do, den 09.09.2004 schrieb Wal um 4:29:
> Is it possible to have the Fedora Core
> default, out-of-the-box iptables settings
> be more like the following?
>
> RelatedComponent- system-config-securitylevel
> File- /etc/sysconfig/iptables
>
> # generated by ____
> #
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0] <-- this or the last but one line? this would be nonsense in my eyes
> :SecLev505-INPUT - [0:0]
Any good reason why you use -I (=insert) so that all rules have to be
read from bottom to top? As iptables works through the rules from top to
bottom such reading from a config file is other than that.
> -I SecLev505-INPUT -p all -j DROP
Having a DROP policy this is redundant. And I would not like a default
DROPing. If something like that, then a REJECT rule (policy can't be set
to REJECT).
> -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1>
> --sport 53 --dport 1025:65535 -j ACCEPT
> -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2>
> --sport 53 --dport 1025:65535 -j ACCEPT
DNS uses not only UDP but TCP too. Wouldn't incoming answers from DNS
servers be catched already by below - in order first coming - rule?
> -I SecLev505-INPUT -p tcp -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> -I SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
> -I SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
> -I INPUT -j SecLev505-INPUT
> :OUTPUT ACCEPT [0:0] <-- compare with above OUTPUT policy line
> COMMIT
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 17:20:56 up 10 days, 14:37, load average: 0.30, 0.25, 0.23
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20040909/dd7fa93c/attachment.bin
More information about the test
mailing list