The current set of firewall rules will be posted here for perusal and perhaps critique.

You can use this in a Debian machine by modifying your /etc/network/interfaces file to look something like this:

iface eth0 inet static
blah blah blah
        pre-up /sbin/iptables-restore /etc/iptables.rules

after placing this file in /etc/iptables.rules. smile

Severn and Jason had some thoughts about the rules:

From:    Severn
To:    Mike Patterson
Subject:    Re: iptables rules
Date:    Wed, 14 Jul 2004 14:00:42 -0400   
Since the setup isn't "fully stealth" (i.e. you're allowing pings), then 
mimicking the behaviour of a port without a service rather than DROPping 
them would eliminate some weird problems that may occur, such as: 
instead of an ident probe waiting for a reply and timing out (ie it 
doesn't know what's going on), it would get a port closed immediately 
(there is no service here).
...a tcp-reset for tcp packets, and an icmp-port-unreachable for udp packets

It would also make my scans go faster =D
While dropping packets will prevent nmap from easily guessing the OS, 
telnetting to the ssh port looking for a banner would reveal that it was 
a unixlike system (if not the version/distro).

and in another mail, he wrote:

That is true. An explicit rule for state tracking is needed in iptables.
Then there's the -A OUTPUT -o lo -j ACCEPT after that which isn't needed...

After some research, I've also determined that "other" icmp types (like 
fragmentation needed) are covered by the "related" part of state 
tracking and no separate rule is needed for those.
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatrules iptables.rules r3 r2 r1 manage 1.5 K 2004-08-18 - 19:44 MikePatterson  
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2013-02-22 - DrewPilcher
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback