iptables SECURITY - default settings

Ken Snider ksnider at flarn.com
Thu Sep 9 21:25:31 UTC 2004

Wal wrote:
> I am suggesting a more secure default setting-

 > # generated by ____
 > #
 > *filter
 > :INPUT DROP [0:0]
 > :FORWARD DROP [0:0]
 > :OUTPUT DROP [0:0]
 > :SecLev505-INPUT - [0:0]
 > -A SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
 > -A SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
 > -A SecLev505-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
 > -A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> --sport 53 --dport 
1025:65535 -j ACCEPT
 > -A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> --sport 53 --dport 
1025:65535 -j ACCEPT
 > -A SecLev505-INPUT -p all -j DROP
 > -A INPUT -j SecLev505-INPUT

I would think the vast majority of the planet would like, at minimum, ssh to
be accessible after an install, on any but the most basic of desktops.

also, you've cut off any other form of UDP traffic there is, this could impact
media streaming, NFS, SMB, and a host of other perfectly legitimate traffic
that originated at the box itself. This ruleset also doesn't allow *any* ICMP,
including ICMP originating from the box (echo requests would get out, but the
response would be dropped).

Without ICMP related traffic, this box would never receive any sort of ICMP
host/net unreachable messages, connection refused, etc, which would cause
*all* connection that fail to have to wait for the TCP timeout to expire in
order to notify the user there's any issue.

At minimum, you need to accept established/related udp/icmp traffic inbound,
and port 22 inbound as well.

Ken Snider

More information about the test mailing list