[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPTABLES script revisited



thanks, adi.

I sincerely hope no one actually tried running that nasty mess I mailed out earlier. It was, how you say, typorifiic!

this version will at least load. I'm not convinced this is necessarily the right approach, but the prospect of "locking down" what one can do with the network on our machines without being root really appeals to me. At the same time, though, the potential for maintenance problems is huge (if we add a kdc, move fanatical, add a mysql server, remove an oracle server, move radmind, add a cosign server, etc. etc.)

Things I know for sure work now: ssh, mysql client, kinit, dns, oracle client, cosign server. Things I know don't work in this version: radmind (I can connect but the connection hangs in SYN_SENT state; I'm confused as I'd assume the ESTABLISHED,RELATED rule would cover this) and there is also the little matter of e-mail.

# Clear all Tables
-F
-X
-Z

# don't do anything I haven't told you to do
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

# Loopback setup
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# cosign-server specific
-A INPUT -p tcp --dport 6663 -m state --state NEW -j ACCEPT

# allow admin hosts to ssh
# anduril.gpcc.itd.umich.edu (ALDC workstation)
-A INPUT -s 141.211.2.170 -p tcp --dport 22 -j ACCEPT
# thunderball.nefu.itd.umich.edu (nefu server)
-A INPUT -s 141.211.14.30 -p tcp --dport 22 -j ACCEPT
# ronin.mail.umich.edu (imap master)
-A INPUT -s 141.211.14.99 -p tcp --dport 22 -j ACCEPT
# truelies.rsug.itd.umich.edu (radmind server)
-A INPUT -s 141.211.14.41 -p tcp --dport 22 -j ACCEPT
# linguafranca.web.itd.umich.edu (console server)
-A INPUT -s 141.211.144.172 -p tcp --dport 22 -j ACCEPT
# equilibrium.rsug.itd.umich.edu (rsug development machine)
-A INPUT -s 141.211.14.5 -p tcp --dport 22 -j ACCEPT
# whisper.web.itd.umich.edu (umweb development machine)
-A INPUT -s 141.213.233.84 -p tcp --dport 22 -j ACCEPT

-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 7001 -j ACCEPT
-A INPUT -p udp --dport 7002 -j ACCEPT
-A INPUT -p udp --dport 7003 -j ACCEPT
-A INPUT -p udp --dport 7004 -j ACCEPT
-A INPUT -p udp --dport 7005 -j ACCEPT
-A INPUT -p udp --dport 7006 -j ACCEPT
-A INPUT -p udp --dport 7007 -j ACCEPT

# let the KDCs respond
-A INPUT -p udp -s 141.211.1.32 -j ACCEPT
-A INPUT -p udp -s 141.211.1.33 -j ACCEPT
-A INPUT -p udp -s 141.211.1.34 -j ACCEPT
-A INPUT -p udp -s 141.211.229.128 -j ACCEPT

# drop anything else
-A INPUT -j DROP

# I am not a client;  I am a server.
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# some services the server is allowed to talk to:
-A OUTPUT -p udp  --dport 53 -j ACCEPT
# restrict to just fear, surprise, ruthless, and fanatical?
-A OUTPUT -p udp  --dport 88 -j ACCEPT
# should be restricted to just our oracle servers (subnet?)
-A OUTPUT -p tcp  --dport 1521 -j ACCEPT
# should be restricted to just our mysql servers (subnet?)
-A OUTPUT -p tcp  --dport 3306 -j ACCEPT
-A OUTPUT -p tcp  -s 141.211.14.41 --dport 6662 -j ACCEPT
# restrict to just weblogin.umich.edu (subnet?)
-A OUTPUT -p tcp  --dport 6663 -j ACCEPT

-A OUTPUT -j DROP