I didnt even know there was a forum for security, usually helps to open my eyes!

I posted a topic similiar to this under networking, but I think this topic should be in here instead. So sorry for posting over there.... :o

This is my first attempt at setting up a server and im not sure if my iptables script is any good or not.
http://users.erols.com/ayeaman/firewall.txt

is it any good security wise? Is there anything that im missing? anything at all...

I want to use this server to masquerade my one ip (from dialup, ppp) to 2-3 other computers on my network. Will this script allow it? I have yet to connect my box to the internet so im not sure if it works.

Also, I have scanned myself using nmap and a state of "filtered" comes up for all the ports that I have a state of DROP. is this ok? How come it shows up when the ports are being blocked?

thanks all.

Why would you specify source ports for the things you are denying? Is it "okay" to connect to your webserver using a port lower than 1024? I mean, most apps don't do that, but it's trivial to write one that will.

Also, what are all those IP blocks for? I recognize three of them (as reserved for private subnets), but I don't know what those others are.

Are you running any sort of server on this? If not, I'd just deny every port and then only explicitly allow the ones you want to have a way in (like your state checking).

Originally posted by Strike:
<STRONG>Why would you specify source ports for the things you are denying? Is it "okay" to connect to your webserver using a port lower than 1024? I mean, most apps don't do that, but it's trivial to write one that will.
</STRONG>

I guess i got a "little" carried away :eek:
should I get rid of all the rules that specify ports? Even if theres nothing running on it?

the only ports that are open without this script are:

113: auth
139: netbios-ssn
515: printer

should I block all of these?

Originally posted by Strike:
<STRONG>Also, what are all those IP blocks for? I recognize three of them (as reserved for private subnets), but I don't know what those others are.</STRONG>

I started out just blocking class A, B and C reserved private subnets from the internet, but i saw an example where someone blocked a WHOLE lot more, so i decided to do the same. Guess it wasnt that smart.

Originally posted by Strike:
<STRONG>Are you running any sort of server on this? If not, I'd just deny every port and then only explicitly allow the ones you want to have a way in (like your state checking).</STRONG>

im not running anything, maybe in the future. Would just setting the policy for INPUT, OUTPUT and FORWARD to DROP be enough to block out the "bad" people ;)

thanks for you help btw

[ 05 November 2001: Message edited by: ralph wiggum ]

Originally posted by ralph wiggum:
<STRONG> guess i got a "little" carried away
should I get rid of all the rules that specify ports? Even if theres nothing running on it?
the only ports that are open without this script are:
113: auth
139: netbios-ssn
515: printer
should I block all of these?</STRONG>
Well, this is the approach I take to firewalling -

1) Block EVERYTHING from the start by default
2) Explicitly allow ONLY what you want through

So, it depends on what you use each of those ports for. If you actually use an ident server to identify yourself on IRC, you might leave that open to the world (or if IRC servers only request FROM a certain port, only allow requests from that port). If you want the entire world to see your SMB stuff (not a good idea), then share it to all .. otherwise, just allow people on your subnet to connect to it (check by interface would be easiest). And the same goes for your printer, probably just limit to the subnet.

thanks so much.

just out of curiousity, what starts these servers and how can i stop them from loading up? etc/rc stuff? cause they dont load from xinetd...

What distribution?

that ussualy helps doesnt it *smacks self*

right now im using redhat 7.0
but pretty soon im gonna start using debian 2.2

[ 06 November 2001: Message edited by: ralph wiggum ]

I thought 7.0 used inetd.conf instead of xinetd.conf. In any case, it should be something in /etc/rc.d or /etc/init.d that starts it.

redhat7 uses xinetd.

I cant seem to find what starts those services, but ill find it sooner or later. Thanks for your help :)