iptables SECURITY - default settings

[Alexander Dalloz]

Am Do, den 09.09.2004 schrieb Wal um 4:29:

> Is it possible to have the Fedora Core
> default, out-of-the-box iptables settings
> be more like the following?
> 
> RelatedComponent- system-config-securitylevel
> File- /etc/sysconfig/iptables
> 
> # generated by ____
> #
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0] <-- this or the last but one line? this would be nonsense in my eyes
> :SecLev505-INPUT - [0:0]

Any good reason why you use -I (=insert) so that all rules have to be
read from bottom to top? As iptables works through the rules from top to
bottom such reading from a config file is other than that.

> -I SecLev505-INPUT -p all -j DROP

Having a DROP policy this is redundant. And I would not like a default
DROPing. If something like that, then a REJECT rule (policy can't be set
to REJECT).

> -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1>
> --sport 53 --dport 1025:65535 -j ACCEPT
> -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2>
> --sport 53 --dport 1025:65535 -j ACCEPT

DNS uses not only UDP but TCP too. Wouldn't incoming answers from DNS
servers be catched already by below - in order first coming - rule?

> -I SecLev505-INPUT -p tcp -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> -I SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
> -I SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
> -I INPUT -j SecLev505-INPUT
> :OUTPUT ACCEPT [0:0] <-- compare with above OUTPUT policy line
> COMMIT

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 17:20:56 up 10 days, 14:37, load average: 0.30, 0.25, 0.23 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20040909/dd7fa93c/attachment.sig>