Rulesets....

Discussion in 'other firewalls' started by HHx6, May 10, 2008.

Thread Status:
Not open for further replies.
  1. HHx6

    HHx6 Registered Member

    Joined:
    May 10, 2008
    Posts:
    5
    I'm pretty knowledgeable in computers, etc, but not so much in networking, so this is where I ask for help, I have a PC running Ubuntu with firestarter, I'm wondering what would be some basic (and safe) rules for this? Or is it even necessary? (I'm also behind a router as well)
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Basically, you need nothing more than the default.

    Default Ubuntu runs no services, thus you have no open ports. Plus, the router, you're all set.

    Some things you might want to consider:

    DNS:
    Your router is your DNS, which is turn uses the ISP DNS. Thus, no special settings are required. Although if you really really feel anal, allow DNS only to your router.

    Allow, input/output upd/tcp 53

    Actual iptables rules:
    iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT

    DHCP:
    Do you have a static or dynamic IP? Either way, you get it from your router. Thus again, no special settings are required. Still:

    Allow, input/output, udp/tcp, ports 67:68

    Actual iptables rules:
    iptables -A INPUT -i eth0 -p udp --sport 67:68 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 67:68 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --sport 67:68 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 67:68 -j ACCEPT

    Samba / Printer sharing etc:

    If you are sharing your resources with other machines and using samba for that purpose, or if you share your printer, make sure they are only available to specific machines:

    Allow, samba, inbound, specify relevant allowed IPs, ports 137:139 udp,tcp, 445 tcp

    I assumed your network is 192.168.1.0. /24 means subnet 255.255.255.0, which means all IPs 192.168.1.0-192.168.1.255.

    Rules:
    iptables -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT

    Allow, cups, inbound, port 631 udp, tcp

    Rules:
    iptables -A INPUT -p udp -s 192.168.1.0/24 --dport 631 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 631 -j ACCEPT

    Additionally, you can use both samba and cups configuration files to limit access to only specified ranges.

    Ping:

    You probably want to allow your router to ping you. But it's up to you.


    Last but not the least - your default policy should be DROP, meaning any connection not explicitly matched will be dropped:

    iptables -P INPUT DROP

    And don't forget to allow the localhost:

    iptables -I INPUT -s 127.0.0.1 -j ACCEPT


    This may interest you:
    http://www.dedoimedo.com/computers/linux_commands.html

    Mrk
     
  3. HHx6

    HHx6 Registered Member

    Joined:
    May 10, 2008
    Posts:
    5
    Thanks a lot for the info! (And sorry for the late reply)
     
  4. jrx10

    jrx10 Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    85
    This is something that's always bothered me about using a router/fw. If you watch your SW-FW logs, you only get DNS connects to your routers IP. If your router's DNS gets hacked, you're basically screwed. If you were running just a SW FW, you could immediately see if your 53/DNS was connecting where it should (if you manually set your primary and secondary DNS servers). BTW, what is the best hard-wired router FW for security? (within a normal consumer/user price range).
     
Thread Status:
Not open for further replies.