[lug] IP Tables

Kevin Fenzi kevin at scrye.com
Sat Sep 22 11:10:37 MDT 2007 

On Sat, 22 Sep 2007 10:48:33 -0600
anselmi at anselmi.us ("David L. Anselmi") wrote:

> So this is an interesting example of software engineering.  Harlen 
> doesn't know how to make iptables do what he wants.  Does he know how
> to specify requirements so Kevin can do it?

:)
> 
> Kevin Fenzi wrote:
> > On Fri, 21 Sep 2007 17:33:12 -0700 (PDT)
> > horlenkarl at yahoo.com (karl horlen) wrote:
> > 
> >> would anybody mind sharing a rock solid iptables
> >> script that does the following things.
> [...]
> >> Requirements:
> >>
> >> RedHat based system
> >>
> >> - denies all ports by default
> >> - allows smtp port 25 to send to all outside
> 
> Port 25 probably doesn't send anything, just receives.  But there's
> no requirement for it to receive anything.

True, but I took that to fall under the last requirement... 
 
> >> - allows http 80 from all outside
> >> -allows ssh but only from a given ip address (i'll
> >> change /fill in)
> >> - logs other attempts that try to go to ssh but not on
> >> the allowed ip address
> >> - allows all inside generated requests to go out and
> >> accept replies from all inside generated requests
> >> (probably covers sendmail above?)
>
> Yes, for sending.

Right. 
 
> >> - drops everything else
> [...]
> > iptables -A INPUT -i lo -j ACCEPT
> 
> This allows local connections, which wasn't specified.

True. I could have left it out... 

> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> > ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport
> > 22 -s 111.222.333.444 -j ACCEPT iptables -A INPUT -m state --state
> > NEW -m tcp -p tcp --dport 22 -j LOG iptables -A INPUT -j REJECT
> > --reject-with icmp-host-prohibited
> 
> Harlan said "drop" but Kevin has used reject.  Same or not?

Good point. Not the same at all. 

DROP will silently drop the packets, making the remote machine think it
should just keep retrying. 
REJECT will send back a 'NO, go away' so the remote site will see the
machine is up, but rejecting it's packets. 

> 
> And then of course a new requirement emerges as soon as Kevin has 
> answered, "turns on at boot".  Where I work they call that piece 
> "integration".  Separate phase of the software life cycle.

Sure. 

That was already answered eariler in the thread: 

service iptables save

>  > Fill in 111.222.333.444 with your ssh allowed ip.
>  >
>  > Not tested, YMMV.
> 
> Standard practice to ship beta software and let the customer figure
> it out. ;-)

You bet. :) 

> No slight intended to Harlan or Kevin.  Just a "gee, I see this all
> the time at work" moment.

Yeah... true enough. 

> Dave

kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070922/fc30cea5/attachment.pgp>

More information about the LUG mailing list