Patch for iptables (Linux firewall)
Luis Javier Merino
ljmerino at gmail.com
Sun Oct 28 03:15:12 CET 2007
On 10/24/07, Stefan Sperling <stsp at stsp.name> wrote:
> Index: user/iptables/iptables.conf.example
> ===================================================================
> --- user/iptables/iptables.conf.example (revision 0)
> +++ user/iptables/iptables.conf.example (revision 0)
> @@ -0,0 +1,13 @@
> +*filter
>
> +:INPUT ACCEPT [0:0]
> +:FORWARD ACCEPT [0:0]
> +:OUTPUT ACCEPT [9:558]
>
> What do these do? Do they set the default policy?
> What are the numbers in the brackets?
They are the default policy. Probably could use DROP there. The
numbers are packet and byte counters, to avoid losing them between
iptables-save iptables-restore
+#Allow already established connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This rule should probably go first, since it most likely matches most
of the traffic.
+#Reject everything else
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
If you don't care about immediate error reporting to the other side,
this could be just DROP.
On 10/24/07, Ewan Meadows <ewan.meadows at gmail.com> wrote:
> TBH I'm a bit useless at configuring iptables. I just generated a
> file that worked for me and chucked it in as an example file. If it
> has problems feel free to fix them. It may slow down networking a
> tad, so could people check for this as well please.
The example is good. It's simple and useful.
> > IPs can be spoofed though, but OK, it makes it harder
> > to get in.
> Isn't there something that can be turned on through /proc and in the
> kernel to get around this?
You're problably thinking about rp_filter, which is for routers. It
checks that packets come from the NIC where they are supposed to come
(in a symmetric routing scenario), so a host on the net connected to
NIC A doen't pretend to be a host on the net of NIC B.
On 10/25/07, Malcolm <malcolm.parsons at gmail.com> wrote:
> You can open a TCP connection without receiving the ACK if you can reliably
> guess the initial sequence number contained in the ACK.
Or if you are on the way back, via ARP spoofing, STP spoofing, router
hijacking, etc...
> Linux uses a good random number generator, so we're probably safe.
Indeed. Michael Zalewsky had a comparison between ISN generators and
Linux's one was apparently safe (you can never say 100% safe).
Ewan, thanks for this.
More information about the dslinux-devel
mailing list