IPTABLES: block ALL incoming and outgoing except...

[Blaqb0x]

Hi,

Can someone help me with getting IPTABLES to block all traffic except for local subnets. I don't want ANY (icmp,tcp,udp) traffic coming into or going from my box and across the router.

From /sbin/iptables-save. ip addresses have been altered. 64.30.14.0/24, 64.30.15.0/24, 64.30.237.0/24 are my local subnets.

--------------------------------
# Generated by iptables-save v1.2.5 on Sun Apr 27 11:26:14 2003
*filter
:INPUT DROP [3195:172926]
:FORWARD DROP [0:0]
:OUTPUT DROP [3126:156418]
-A INPUT -s 64.30.15.0/255.255.255.0 -p tcp -m multiport --dports ssh,6000 -j ACCEPT
-A INPUT -s 64.30.14.0/255.255.255.0 -p tcp -m multiport --dports ssh,6000 -j ACCEPT
-A INPUT -s 64.30.237.0/255.255.255.0 -p tcp -m multiport --dports ssh -j ACCEPT
-A INPUT -s ! 127.0.0.1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -s 64.30.15.0/255.255.255.0 -j ACCEPT
-A INPUT -s 64.30.14.0/255.255.255.0 -j ACCEPT
-A INPUT -s 64.30.237.0/255.255.255.0 -j ACCEPT
-A OUTPUT -s 64.30.15.0/255.255.255.0 -j ACCEPT
-A OUTPUT -s 64.30.14.0/255.255.255.0 -j ACCEPT
-A OUTPUT -s 64.30.237.0/255.255.255.0 -j ACCEPT
COMMIT
# Completed on Sun Apr 27 11:26:14 2003
--------------------------------

Can anyone maybe suggest a more elegant way of doing this?

Also I load this file from /etc/rc.d/rc.local, however, I believe the network interface is configured before rc.local is run which means the interface is not restricted by the firewall. If suppose ntp or something that I don't know about is pointing somewhere outside my LAN it will be able to get access to it. Is there someway around that?

Thanks.

[tolstoy]

Is iptables-save a firewall script writing program?

Usually I write all my iptables scripts by hand, and it's been a while since I have done so, so I'm not completely familiar with the syntax of your script (the :FORWARD part, for instance) , but as a rule of thumb, the order, from top to bottom, of your rules is the order in which they are applied to a packet, so what you need to do is define all your allowable traffic, and then end your rulset with a "drop and log all" clause.

In Checkpoint terminology this is called the "cleanup rule" and is essential to a good firewall. As long as you have a cleanup rule, then only that traffic with you specifically allow will make it to, or through, your box.

Also, try making a startup script in your appropriate Rc.d directory that will load before the network is brought up so that iptables are loaded into the kernel before your interface comes up. One caveat however, if you get your IP viah DHCP, this will cause problems.

[Dagda]

well your router shouldn't be sending anything to it, unless you have ports forwarded. and you can just set a static IP on the linux box and leave the default gateway blank. Then the computer won't know about the router and nothing will go out on the net from it. You should have a firewall, but this is a nice, fast and simple solution to use until you learn IPTables.