IPTABLES: Several Q's

Portal Home > Knowledgebase > Articles Database > IPTABLES: Several Q's

Posted by Crsr, 05-14-2014, 05:23 PM
Today I needed to touch into an ancient machine who had iptables added and found this: Iptables -L -n -v partial output: pkts bytes target prot opt in out source destination 45797 18M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 6028 896K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 DROP all -- eth0 * 10.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 224.0.0.0/4 0.0.0.0/0 0 0 DROP all -- eth0 * 240.0.0.0/5 0.0.0.0/0 Suddenly two questions came to my mind: 1. Which is more 'kosher'. Accepting the ESTABLISHED,RELATED existing connections and then dropping the INVALID ones? 2. How many put a drop on their Internet facing interface to RFC-1918 addresses? think on a uRPF filter for Cisco guys.
Posted by zacharooni, 05-14-2014, 07:53 PM
1. Accepting established and related connections, and dropping invalid ones should be a sane default. You could try installing CSF on it and running the csftest.pl script before activating it, just to make sure it will work. 2. I do, and everyone definitely should. Also read up on BCP38
Posted by Crsr, 05-15-2014, 02:36 AM
Thanks for confirming that I'm not a paranoid for putting those rules on every machine I put on Internet . Found on the OUTPUT section quite similar rules too for those networks. I Know BCP38 (and other related). But what seemed strange (and somewhat refreshing) is to find this on a very very ancient machine (an original install from 2007 or so) who previously was adminstered by a third party. Some nice (easy to read) Reading for people interested on more: http://www.bcp38.info

Add to Favourites Print this Article