Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
(IPv6 icmp replies: re)
(Script to automate the firewal setup: re)
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== <s>Clarification on syn scan rules </s>==
 
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
 
 
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
 
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
 
 
I also found that I needed to add an --update:
 
 
# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP
 
 
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --[[User:Margali|Margali]] 21:57, 29 December 2011 (EST)
 
: I just checked, the above suggestions are in the rules now. closing --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
 
 
== IPv6 icmp replies ==
 
== IPv6 icmp replies ==
 
For ipv6 adaptation.
 
For ipv6 adaptation.
Line 23: Line 11:
  
 
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)
 
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)
:::I'd say it depends what you want to do and the link to the RFC above by Clavi is perfectly correct. I would change your last rule to  
+
:::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to  
 
   -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 
   -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
 
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
  
== <s>References to OPEN chain(s)</s> ==
+
== Script to automate the firewal setup ==
 
+
I've re-read the guide once again and noticed multiple references to a now non-existent OPEN chain. A few years ago the OPEN chain was split into OPEN-TCP and OPEN-UDP, now simply TCP and UDP. See the relevant edits: [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=99829&oldid=99828], [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=119618&oldid=119609].
+
 
+
There are two solutions, either drop the references to the OPEN chain(s) completely, or undo those very old edits. If there are no objections, I'll go with the former.
+
  
-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:25, 8 September 2013 (UTC)
+
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051
:+1 for the former. The first talk item shows as well that the old refs should be removed completely. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
+
  
:: Done, see if I missed something or if anything needs better wording: [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=275132&oldid=274755] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 06:17, 12 September 2013 (UTC)
+
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/
::: Fine with me. One could really add other examples to those INPUT chains, e.g. the logdrop from the main iptables article instead of opening port after port, but that's another matter. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:32, 12 September 2013 (UTC)
+
  
:::: OK, I'll close this in the meantime. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:07, 13 September 2013 (UTC)
+
:Please [[Help:Style#Discussion_pages|sign]] your posts by typing {{ic|<nowiki>~~~~</nowiki>}} next time.
 +
:You don't need a script to set up iptables, you can just copy the file containing the rules - and we [[Simple_Stateful_Firewall#Example_iptables.rules_file|already have that]]. Also the sysctl part is already on our wiki: [[Sysctl#TCP.2FIP_stack_hardening]]. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
 +
:-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:26, 8 November 2013 (UTC)

Revision as of 07:26, 8 November 2013

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -j REJECT

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)

Script to automate the firewal setup

I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051

It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/

Please sign your posts by typing ~~~~ next time.
You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
-- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)