> $iptables -A FORWARD -i $internet -o $intranet -p tcp --dport 4899 -m
> state --state NEW -j ACCEPT
> $iptables -A FORWARD -i $intranet -o $internet -p tcp --sport 4899 -m
> state --state NEW -j ACCEPT
Ummm... why are you accepting NEW connections with source port 4899?
[...]
> $iptables -A INPUT -p tcp --dport 22 -i $intranet -m state --state NEW
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $intranet -m state --state NEW
> -j ACCEPT
> $iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
> $iptables -A FORWARD -p tcp --sport 22 -m state --state NEW -j ACCEPT
> ## FIREWALL 2 INTERNET
> $iptables -A INPUT -p tcp --sport 22 -i $internet -m state --state NEW
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW
> -j ACCEPT
> ## INTERNET 2 FIREWALL
> $iptables -A INPUT -p tcp --dport 22 -i $internet -m state --state NEW
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $internet -m state --state NEW
> -j ACCEPT
> ## FIREWALL 2 LAN
> $iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW
> -j ACCEPT
> $iptables -A INPUT -p tcp --sport 22 -i $intranet -m state --state NEW
> -j ACCEPT
Same here for source port 22.
Also, if your firewall has only these two interfaces, you may as well
simplify these two rules:
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW \
-j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW \
-j ACCEPT
to a single rule:
$iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[...]
> $iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
> $iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT
What I said before applies to all ports, not just 22/tcp, y'know. You
don't need (nor do you want) a --sport rule.
[...]
> #### ICMP Limit ####
> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
Again, 1 packet per second is awfully low. With a setting that low, no
more than one host will be able to ping your server at any given time.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment