Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
(re old rules)
(Script to automate the firewal setup: re)
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== <s>Clarification on syn scan rules </s>==
 
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
 
 
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
 
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
 
 
I also found that I needed to add an --update:
 
 
# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP
 
 
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --[[User:Margali|Margali]] 21:57, 29 December 2011 (EST)
 
: I just checked, the above suggestions are in the rules now. closing --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
 
 
== IPv6 icmp replies ==
 
== IPv6 icmp replies ==
 
For ipv6 adaptation.
 
For ipv6 adaptation.
Line 16: Line 4:
 
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)
 
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)
  
== References to OPEN chain(s) ==
+
:: Other articles have suggested a vanilla reject, thus:
 +
 
 +
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +
  -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 +
  -A INPUT -j REJECT
 +
 
 +
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)
 +
:::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
 +
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 +
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
 +
 
 +
== Script to automate the firewal setup ==
  
I've re-read the guide once again and noticed multiple references to a now non-existent OPEN chain. A few years ago the OPEN chain was split into OPEN-TCP and OPEN-UDP, now simply TCP and UDP. See the relevant edits: [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=99829&oldid=99828], [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=119618&oldid=119609].
+
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051
  
There are two solutions, either drop the references to the OPEN chain(s) completely, or undo those very old edits. If there are no objections, I'll go with the former.
+
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/
  
-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:25, 8 September 2013 (UTC)
+
:Please [[Help:Style#Discussion_pages|sign]] your posts by typing {{ic|<nowiki>~~~~</nowiki>}} next time.
:+1 for the former. The first talk item shows as well that the old refs should be removed completely. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
+
:You don't need a script to set up iptables, you can just copy the file containing the rules - and we [[Simple_Stateful_Firewall#Example_iptables.rules_file|already have that]]. Also the sysctl part is already on our wiki: [[Sysctl#TCP.2FIP_stack_hardening]]. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
 +
:-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:26, 8 November 2013 (UTC)

Revision as of 07:26, 8 November 2013

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -j REJECT

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)

Script to automate the firewal setup

I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051

It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/

Please sign your posts by typing ~~~~ next time.
You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
-- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)