Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Is my iptables fine?
Top Forums UNIX for Dummies Questions & Answers Is my iptables fine? Post 302910720 by Smiling Dragon on Sunday 27th of July 2014 05:15:53 PM
Old 07-27-2014
Your default policy on your INPUT chain is "DROP" but you end with a global REJECT (meaning the DROP will never happen), I'd recommend removing that last line, or changing your default policy to ACCEPT, having both could be confusing during debugging.

I'm a fan of DROP over REJECT as it slows scanners and helps differentiate between something being offline or broken, and something being blocked by your firewall.

I think you are probably accepting too many INPUT ports, I'd wager you don't need pop,pops,imap & imaps?

Are you sure you want to be allowing incoming DNS requests?

Change your default policy of the FORWARD chain to either REJECT or DROP (or at least add a few rules to ensure you are only forwarding for things on your internal network).

Near the start, you are accepting Related and Established replies, then further down near the end of the INPUT chain you accept Established again, don't need that second one.

The three DROP rules near the top also have some redundancy in them (dropping FIN packets in two different rules for instance).

Your OUTPUT chain's default policy is ACCEPT, but you also have a bunch of rules that ACCEPT certain outbound connections, I'd assume that you probably meant to have the default policy as REJECT or DROP?

---------- Post updated at 09:15 AM ---------- Previous update was at 09:15 AM ----------

Edit: These are relatively small points, though, overall I think you are on the right track with this.
 

8 More Discussions You Might Find Interesting

1. Linux

which linux products is used(fine) to me ?

which linux products is used(fine) to me ? I am learning linux now ,and a new memeber of linux ,hoping to know it more . (4 Replies)
Discussion started by: lsxymn
4 Replies

2. IP Networking

recv() not workin fine.....

hi ! In my program I have a structure as shown below: struct data { int a; char *b; long c; }str; i have assigned the following values to it: strcpy(str.b,"John"); str.a=10; str.c=123435; The client is tryin to send struct data to the server using send(sock,(char *... (2 Replies)
Discussion started by: mridula
2 Replies

3. Shell Programming and Scripting

Script works fine until I | more

Hello all, This beats me. I have a script that executes some commands and redirects their output to some text files that I will parse. The commands are along the lines of: dsmadmc -id=admin -pa=admin -outfile=/home/tools/qlog.txt q log f=d If I just run the script it works. If I execute... (2 Replies)
Discussion started by: Skovian
2 Replies

4. Shell Programming and Scripting

NAWK Script not working fine

Hello to all can any one help me out with a nawk script. Actually i am having a shell script which uses nawk pattern searching and it is not parsing the file properly. I have been debugging it since long time, but nt able 2 find the root cause.. If any one can help me out with this one .. (3 Replies)
Discussion started by: dheeraj19584
3 Replies

5. AIX

fine grained audit control

I'm working with the audit system on aix 5.1 and 5.3 . But after lots of googling and RTFM, I can't figure out how to audit all files in a given directory rather than specifying each file individually like /etc. And how can I exclude a directory such as /var/tmp so I don't get records for every... (0 Replies)
Discussion started by: vaporlock
0 Replies

6. UNIX for Advanced & Expert Users

How to know whether my perodic thread is working fine

Dear All, I am using xenomai-2.4 along with linux kernel 2.6 In my application having following threads. 8ms perodic thread (RT TASK) 1ms perodic thread(RT TASK) 16ms perodic thread(RT TASK) 256ms perodic thread(RT TASK) 22 - pthread are condition based it may execute or else in... (1 Reply)
Discussion started by: rajamohan
1 Replies

7. Shell Programming and Scripting

Script runs fine, but not in a cron

Okay, I have the following script that runs fine from a command line as well as an executable .sh file. It just moves any file/folder with movie* in the name to a folder called _Movies. The issue I'm running into is when it's call from a cron. find /mnt/HD_a2/BT/complete -iname "movie.*" -exec... (4 Replies)
Discussion started by: sammyk
4 Replies

8. Shell Programming and Scripting

Script works fine but not with crontab

Hello All, This is driving me nuts. Wrote a very simple script (it's in csh so sorry about that). Just something very simple though. Here is the catch. Works great from command line sometimes. Other times it runs no errors or anything but I never receive an email. Never runs from crontab... (6 Replies)
Discussion started by: jacktay
6 Replies

LEARN ABOUT DEBIAN

zone.conf

ZONE.CONF(5)							   File Formats 						      ZONE.CONF(5)

NAME

       zone.conf - fiaif zone configuration files

DESCRIPTION

       fiaif.conf  is  the  file  that	determines  how  zones should be set up in the firewall. A zone describes how traffic from other zones are
       allowed into a zone, and what packets are allowed from the zone itself.	Zones are based upon the interface and the network  the  interface
       is  connected  to. It is possible to have multiple zones per interface, if and only if the interface is not declared public. See the PUBLIC
       variable for more information.

       The general syntax of a configuration file is the same as for a bash(1) script, in which only variables should be present.

       The variables can be on three forms:

       VARIABLE
	      This is a simple variable. It can only be assigned a single value.

       VARIABLE_FOO
	      The denotes a variable sequence. The FOO can be replaced by any keyword, allowing multiple values to be specified.

       VARIABLE[N]
	      A variable array. Any number of values can be specified by increasing N for each value.

VARIABLES

   NAME
       Syntax: <name>

       Specify the name of the zone. This must be the same as specified in /etc/fiaif/fiaif.conf.

   DEV
       Syntax: <interface-name>

       Specifies the interface name in which this zone is connected.

   DYNAMIC
       Syntax: 0|1

       Specifies whether the IP of the interface is dynamic (e.g., obtained via DHCP or unknown when FIAIF is started) or not. Disabling this pro-
       vides better security, but this is not always an option given from ISPs.

   GLOBAL
       Syntax: 0|1

       Is  set	to  one,  any packets originating from IANA reserved networks are discarded (except those specified in the NET and NET_EXTRA vari-
       ables).	This should be set on your internet connection. If this is set to true, the interface cannot have multible zone definitions.

   IP
       Syntax: <IP address>

       The IP of the interface.  This is only necessary to specify if DYNAMIC=0.

   MASK
       Syntax: <network mask>

       The network mask of the network connected to this interface.  This is only necessary to specify if  DYNAMIC=0.	This  information  can	be
       found be using the ifconfig command.

   NET
       Syntax: <ip address/networkmask>

       The  network  mask for the interface.  This is only necessary to specify if DYNAMIC=0.  This information can be found be using the ifconfig
       command.

   BCAST
       Syntax: <broadcast address>

       The broadcast address of the interface.	This is only necessary to specify if DYNAMIC=0.  This information can be found be using the ifcon-
       fig command.

   IP_EXTRA
       Syntax: [IP]*

       Contains  a  list of additional IP addresses that the interface can receive. Extra IP's for an interface is usually created by using inter-
       face aliases (e.g. eth0:0).

   NET_EXTRA
       Syntax: [IP/MASK]*

       A list specifying any extra networks besides the NET variables that are connected to this zone (interface). The extra nets  would  normally
       be connected though other routers.

   DHCP_SERVER
       Syntax: <0|1>

       Set  to '1' if the server should accept DHCP queries.  Only one zone per interface should have this enabled, since DHCP packets do not hold
       any valid destination address.

   INPUT[N]
       Syntax: <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <protocol> [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       The INPUT variable describes how packets are handled through the input chain. Packets on the INPUT chain are packets coming from  the  zone
       to  the	firewall  itself.  The first argument is how a matched packet is treated. Protocol and ports and ip/mask are used to match packets
       (destination port, and source=>destination ip address). If none are specified, the rule matches all packets. The port argument must only be
       specified  if  the protocol is udp, tcp or icmp When using these rules, a rule of thumb is only to accept specific packets, and to drop any
       not matched. The following line 1 accepts HTTP-requests over the TCP protocol:

       INPUT[0]="ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       INPUT[1]="ACCEPT udp 1024:65535 0.0.0.0/0=>0.0.0.0/0"

       INPUT[2]="DROP ALL 0.0.0.0=>0.0.0.0"

   OUTPUT[N]
       Syntax: <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <protocol> [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       Like the INPUT[N] rule. Packets on the OUTPUT chain are packets originating from the firewall itself going out into the zone itself.  ports
       are  destination  ports,  and  ip/mask is the source and destination ip/mask (if '=>' is not given, the ip is assumed to be the destination
       ip). The port argument must only be specified if the protocol is udp, tcp or icmp The following example drops all telnet packets  over  the
       tcp protocol, drops any udp packets, and allows any other send from the firewall itself.

       OUTPUT[0]="DROP tcp 21 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[1]="DROP udp ALL 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[2]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

   FORWARD[N]
       Syntax:	      <zone|ALL>	<ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>	  <protocol[port<:port>[<,port>[:port]]*]>
       <ip/[mask]=>ip/[mask]>

       Use to specify how packets arriving from other zones are to be treated. If protocol or ports and ip/mask is  not  specified,  then  ALL	is
       assumed.  The port specifies the destination port, and ip specifies the source and destination ip. The port argument must only be specified
       if the protocol is udp, tcp or icmp An example: A demilitarized zone may only accept HTTP requests from the internet (zone EXT). This would
       be specified by:

       FORWARD[0]="EXT ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

   MARK[N]
       Syntax: <zone|ALL> <mark number> <protocol[port<:port>[<,port>[:port]]*]> <ip/[mask]=>ip/[mask]>

       Use  the MARK rules to set a MARK on packets passing through the firewall. This can then be used to determine how a packet is routed. FIAIF
       does not do traffic-shaping based on mark values. The port argument must only be specified if the protocol is  udp,  tcp  or  icmp  If  the
       source  zone  is  ALL then all packets going into the zone are marked. If the source zone equals the zone-name of which the rule is in then
       only packets originating from the firewall are marked.

       Otherwise, only packets routed through the firewall are marked.	Example: Mark all tcp packets going into the zone with	'1'  and  all  udp
       packets with mark '2'.

       MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"

       MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

   REPLY_FOO
       Syntax: <zone> <type> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Make special replies to packets. The type can be one of the following:

       icmp-net-unreachable,  icmp-host-unreachable,  icmp-port-unreachable,  icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or
       tcp-reset (Only valid for the TCP protocol).

       The zone argument specifies the source of the packet.

       This can be used, for example, to disallow authentication requests, but instead of dropping the packets, close the connection by sending  a
       tcp-reset.

       REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"

   MAC_DROP
       Syntax: [MAC_ADDRESS]*|[file]

       Disallow any communication with specified MAC-addresses in this zone.  Inserted on PREROUTING chain. If the value is a file, then each line
       in the file is treated as an MAC address. Anything after a '#' is regarded as a comment and is ignored.

   IP_DROP
       Syntax: [IP/MASK]*|[file]

       Disallow any communication with specified IP addresses in this zone.  If the value is a file, then each line in the file is treated  as	an
       ip address. Anything after a '#' is regarded as a comment and is ignored.

   ECN_REMOVE
       Syntax: [IP/MASK]*|[file]

       Remove  the ECN bit from all packets destined to the specified servers (located in the zone). If the value is a file, then each line in the
       file is treated as an ip address. Anything after a '#' is regarded as a comment and is ignored.

   REDIRECT_FOO
       Syntax: <protocol[port[:port]]> <ip[/mask]=>ip[/mask]> <[ipaddr[,ipaddr]*]> [port]

       Alter the destination of packets.  The rule applies only for packets originating from this zone. Packets can be redirected to the  firewall
       itself  (127.0.0.1),  to  other	zones or back into the zone itself (requires DYNAMIC==0 and GLOBAL==0). If packets are redirected to other
       zones, then remember to add a FORWARD rule in the configuration file for the destination zone, allowing the packets to pass through. Please
       note, that redirecting packets back into the zone may cause serious network degradation.

       Example:

       REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"

       All  packets  coming  from the zone itself to port 80 are redirected to the firewall itself port 3128, and this line can be used to setup a
       transparent proxy.

   WATCH_IP
       Syntax: [IP]*|[file]

       Log every packet coming from or going to the specific IP addresses.  If the value is a file, then each line in the file is treated as an IP
       address. Anything after a '#' is regarded as a comment and is ignored.

   SNAT[N]
       Syntax: <ZONE|ip> <protocol[port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Change  the  source address of a packet coming from this zone. If a ZONE is specified, then all packets are masqueraded to all ip addresses
       for the specified zone, specified by the IP or IP_EXTRA directive, in a round robin fashion. The last options specifies the protocol,  port
       and original source and destination of the packets to be SNAT'ed.

       To use MASQUADING, where EXT is the zone for the internet use:

       SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

   LIMIT_FOO
       Syntax:	 <zone>   <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>	<limit>   <burt>  <protocol[port<:port>[<,port>[:port]]*]>
       <ip[/mask]=>ip[/mask]>

       Limit number of packets. A LIMIT rule specifies how many packets are acceptable within the  specified  period  of  time.  If  more  packets
       arrive, policy specifies how to handle these.

       zone: Is the zone from which the packet originates. This can be this zone itself.

       limit: Maximum average matching rate: specified as a number, with an optional '/second', '/minute', '/hour', or '/day' suffix.

       burst: Maximum initial number of packets to match: this number gets incremented by one every time the limit specified above is not reached,
       up to this number.

       protocol: The protocol: TCP|UDP|ICMP|ALL. This parameter is optional.  The port argument must only be specified if the protocol is udp, tcp
       or icmp

       ports: If protocol is tcp|udp: A list of ports or a port range.	icmp: A list of icmp types seperated by commas. This parameter is optional
       pending on the specified protocol.

       ip[/mask]=>ip[/mask] Specifies source address and optional destination address. This can only be specified if protocol is also specified.

       For example to limit number of echo requests (ping) from zone EXT, use:

       LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"

   TC_ENABLE
       Syntax: <0|1>

       Enable or disable Traffic Shaping for this zone (traffic going into the network card, or being sent from the  network  card.)  TC  is  only
       enabled if ENABLE_TC is set in the global configuration as well.

   TC_UPLINK
   TC_DOWNLINK
       Syntax: <kbit>

       Specify maximum uplink and downlink speeds. The values are specifed in kilobits (1024 bits).

   TC_TYPE
       Syntax: <HTB|HFSC>

       Specify	the type of traffic shaping to be used. htb is videly available, but the hfsc type shaping yields much better results. Choose hfsc
       if you have the nessesary modules.

   TC_VOIP
       Syntax: <0|1>

       Specify '1' to enable special VOIP traffic shaping classes. Currently only implemented for the HFSC type  shaper.  It  reserves	a  minimum
       bandwidth for voip traffic, and creates a special high priority class for voip related traffic.

   IPSET_FOO
       Syntax: <ip</mask>>[ip</mask>]*| <file>

       Sepcify a set of ip's to be used in zone rules. Ip's specified can be either numbers, hostnames, networks or names of other ip sets (recur-
       sively). The name of the set will be the name occuring after IPSET_. Ip sets is bound to a zone, and cannot be  used  across  zones.   Cur-
       rently,	ip-sets can only be used in INPUT, OUTPUT, FORWARD, SNAT, REDIRECT and MARK rules. If the ipset points to a file, then the file is
       read (relative to CONF_PATH ).  The name of IP sets must not conflict with aliases defined in the file pointed to by the ALIASES  directive
       in fiaif global configuration file.

       An example of the use of IP sets:

       IPSET_NAMESERVERS="1.2.3.4 1.2.3.5"

       INPUT[N]="ACCEPT tcp domain NAMESERVERS=>0.0.0.0/0"

       Which is equivalent to:

       INPUT[N]="ACCEPT tcp domain 1.2.3.4=>0.0.0.0/0"

       INPUT[N+1]="ACCEPT tcp domain 1.2.3.5=>0.0.0.0/0"

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif(8), fiaif.conf(8), iptables(8), ifconfig(8)

Linux								     Feb 2006							      ZONE.CONF(5)
All times are GMT -4. The time now is 12:56 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy