Portal Home > Knowledgebase > Articles Database > IPTABLES: Several Q's
IPTABLES: Several Q's
Posted by Crsr, 05-14-2014, 05:23 PM |
Today I needed to touch into an ancient machine who had iptables added and found this:
Iptables -L -n -v partial output:
pkts bytes target prot opt in out source destination
45797 18M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6028 896K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- eth0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- eth0 * 240.0.0.0/5 0.0.0.0/0
Suddenly two questions came to my mind:
1. Which is more 'kosher'. Accepting the ESTABLISHED,RELATED existing connections and then dropping the INVALID ones?
2. How many put a drop on their Internet facing interface to RFC-1918 addresses? think on a uRPF filter for Cisco guys.
|
Posted by zacharooni, 05-14-2014, 07:53 PM |
1. Accepting established and related connections, and dropping invalid ones should be a sane default. You could try installing CSF on it and running the csftest.pl script before activating it, just to make sure it will work.
2. I do, and everyone definitely should. Also read up on BCP38
|
Posted by Crsr, 05-15-2014, 02:36 AM |
Thanks for confirming that I'm not a paranoid for putting those rules on every machine I put on Internet . Found on the OUTPUT section quite similar rules too for those networks.
I Know BCP38 (and other related). But what seemed strange (and somewhat refreshing) is to find this on a very very ancient machine (an original install from 2007 or so) who previously was adminstered by a third party.
Some nice (easy to read) Reading for people interested on more:
http://www.bcp38.info
|
Add to Favourites Print this Article
Also Read
BitNinja (Views: 537)