There is sufficient weight of evidence from media reports and from professional security sources to justify the claim that all publicly exposed network interfaces must be protected. Crackers find an unprotected Unix/Linux system hard to resist.
Many network administrators argue that internal network traffic can be trusted and that internal computer systems do not require stringent protective barriers from people inside the organization. On the other hand, the conclusion of at least one researcher is that insider jobs are the single largest financial threat to information technology users (as found at http://research.rutgers.edu/~ungurean/610/Security.ppt).
In 2000, Global Health Trax Inc. reported that its old web site was opened to unauthorized access in January, possibly because of sabotage by disgruntled employees (see http://www2.norwich.edu/mkabay/iyir/2000.PDF). Although there was no evidence of penetration, detailed account information about hundreds of distributors was unprotected for several hours, including bank account and credit card numbers .
There is therefore a good argument that even internal network interfaces should be treated with the same suspicion that the external interface attracts. You should consider the risk and structure your firewall to provide a measure of protection that matches the level of risk you are comfortable with. If you are as paranoid as we are, you may choose to be totally paranoid .
When security is at risk, it is better to be prepared than to be sorry later. You may conclude otherwise , but the weight of evidence strongly demonstrates that computer systems and the resources they hold must be protected from insiders as much as from outsiders.
Forward thinking is essential in firewall design. Consider what will happen in the event that specific firewall rules fail. Even though the risk may be minimal, still consider the effect of a system intrusion and exposure of critical data. The best policy is to never give a criminal a fair break. The default policy on all network interfaces should be to specifically drop (or deny) network traffic and thus prevent network interface access.
Firewall rules can be created that will specifically permit certain network traffic to pass to the Linux system. Table 3-4 provides guidelines of what may be permitted through the firewall.
Every server on your network should be assessed from a risk and exposure perspective. If a machine stores only inconsequential data, it may not warrant the effort and overhead of affording it a high level of protection. On the other hand, every server that stores and/or processes sensitive data really ought to be well protected ”and monitored. Simply protecting a system once is not a sufficient measure, unless it is monitored , action is taken when necessary, and regular updates are made to keep pace with new potentially aggressive methods by which the system may be compromised.
This is a good place to reiterate that all services that are running on a computer system may be attacked . In fact, the only secure computer system is one that is turned off and embedded in a steel reinforced block of concrete.
An attacker may attempt to flood your system with seemingly legitimate network service requests , effectively denying legitimate users from being serviced. This is known as a denial-of-service (DoS) attack. An attacker may attempt to exploit a known weakness or security hole in a service, or they may misuse legitimate credentials for unauthorized purposes. Your duty as a networking professional is to make unauthorized network service use as difficult as possible.
One last matter should be noted also. The firewall rules should permit network requests only to services that are actually being provided on the system. Never permit system access for services that are not operational and that are being routinely monitored.
Now that you have carefully considered the default policy regime as well as specific security rules that can be applied, the next challenge is to implement them.
This book encourages you to make use of standard facilities provided by Red Hat and SUSE for use with their enterprise Linux products. The building of specific, hand-crafted firewall rules requires experience and a detailed understanding of the principles of network operation. A clear, in-depth understanding of the techniques used by crackers and potential assailants is also essential to the design and implementation of a purpose-built secure firewall.
The configuration of the standard SLES8 Linux firewall facility may be performed using the YaST2 toolset. The following procedure will take you through the necessary steps for a system that has two network interfaces, one external Internet connection and the other connected to a private network.
Log into the system as the user root.
Click the toolbar icon with the SUSE gecko logo with a hammer and a spanner through it.
Select YaST2 Modules Security & Users Firewall.
The panel shown in Figure 3-6 will be displayed.
Figure 3-6: SUSE Linux Firewall Configuration (Step 1 of 4): Basic Settings
Select the External and Internal Interfaces in the boxes shown in Figure 3-6.
Click Next.
Click on the services you want to enable, as shown in Figure 3-7. If you enable protection of the internal network interface, it is necessary to select the protocols that internal users need to access via the internal interface. If you choose to not protect the internal interface, select only protocols that foreign users (outside your internal network) need to access.
Figure 3-7: SUSE Linux Firewall Configuration (Step 2 of 4): Services
Click Next.
As shown in Figure 3-8, select the features you want to enable, paying careful attention to the guidelines in the left panel regarding each option. It is essential to enable traffic forwarding and masquerading if the internal network interface uses an RFC1918 (private) class network address (in the range of 192.168.*.*, 172.16.*.*, or 10.*.*.*).
Figure 3-8: SUSE Linux Firewall Configuration (Step 3 of 4): Features
Click Next.
Select at least the top two logging options (as shown in Figure 3-9). This will permit you to identify from the system log files (/var/log/messages, /var/log/warn) the source IP address of alien requests that promoted the rules table to log this information. This is an essential part of a defense process.
Figure 3-9: SUSE Linux Firewall Configuration (Step 4 of 4): Logging Options
Click Next.
Figure 3-10 shows the control panel that appears. Click Continue to apply the firewall rule changes. The dialog panel shown in Figure 3-11 will report progress as the new rules are applied.
Figure 3-10: SUSE Linux Save settings and activate firewall
Figure 3-11: SUSE Linux Firewall configuration ”saving settings
When the progress meter shows 100%, click Quit to exit the firewall configuration tool.
Your SUSE system firewall has now been configured.
Configuration of a basic firewall for Red Hat Enterprise Linux AS 3.0 can be achieved by following these steps:
Log onto the system as the root user.
On the desktop, click the Start Here icon.
Select System Settings Security Level.
The panel shown in Figure 3-12 will appear. Select the Security Level and the protocols you want to permit to access this machine. Also check the network interfaces that you want to trust. Take care with your selection ”any interface you enable will be configured as a trusted device.
Figure 3-12: The Red Hat firewall configuration tool
Click OK.
The dialog box shown in Figure 3-13 provides an opportunity to void the change or to commit it. Click Yes to proceed.
Figure 3-13: The Red Hat firewall configuration confirmation
The Red Hat Linux firewall is now configured and applied. Unlike the default SUSE firewall, the Red Hat default sets a default policy to accept all incoming traffic on a network interface. The correct operation of the rules is imperative.
Heads Up | Red Hat sets a default policy to accept all incoming traffic on a network interface. This makes it critical that you configure rules to counter this. |
Listing 3-3 shown at the end of this chapter was obtained by executing the iptables “L command on a SLES8 system that has had a firewall enabled through use of the YaST2 facility.
The complexity of these rules is readily apparent. Both input and forwarding rules have a default policy to DROP incoming traffic. Exceptions are then made to permit desired traffic only. The substantial use of logging details of unwanted traffic is essential to permit the potential identification of sources of hostile traffic.
If you want to understand how the firewall rules operate , take some time to familiarize yourself with the structure, design, and method of implementation of firewall rules and exception handling. The exception reporting methods used in the script that has been generated on this system is extensive and provides a large volume of logged data.
Heads Up | It makes sense to monitor and act on all logged data. If you do not intend to monitor and act on the exception reports, it does not make sense to create voluminous detailed information. |
If you want to install an alternative firewall strategy, the following script must be modified to meet local needs. It can be configured to run as part of the startup process from the script /etc/rc.d/rc.local or from any alternative startup script. If you decide to use an alternative startup method, be sure to implement the firewall as early as possible, preferably before network services are started.
The nice thing about this script is the ease with which you can add or remove protocols as well as the fact that it uses a default policy to drop all incoming network requests unless a rule explicitly specifies otherwise. This leaves less room for risk of failure.
#!/bin/sh echo -e "\n\nLoading NAT firewall.\n" IPTABLES=/usr/sbin/iptables EXTIF="eth0" INTIFA="eth1" echo " External Interface: $EXTIF" echo " Internal Interfaces: $INTIFA" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" /sbin/depmod a echo -en "ip_tables, " /sbin/insmod ip_tables echo -en "ip_conntrack, " /sbin/insmod ip_conntrack echo -en "ip_conntrack_ftp, " /sbin/insmod ip_conntrack_ftp echo -en "iptable_nat, " /sbin/insmod iptable_nat echo -en "ip_nat_ftp, " /sbin/insmod ip_nat_ftp echo ". Done loading modules." echo " Clear existing rules, then setting default policy.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat F $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INTIFA -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS for i in 22 25 53 80 443 do $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT done # Allow DNS(udp) $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT echo "Allow all connections OUT and only existing and specified ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo " Enabling IP_forwarding.. " echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "\nNAT firewall done.\n"
The primary defense mechanism in use today is the firewall, with secondary protection afforded by tcp_wrappers . Your firewall rules table includes provision for logging of network access attempts that are either unexpected, originate from unacceptable sources, or exhibit potentially detrimental characteristics.
Hopefully, you will have deduced that there can be no such thing as a perfectly secure firewall. It is strongly recommended that you work with an attitude that every reported exception should be treated with suspicion and that you will identify the source of the exception and take appropriate action to protect the integrity of the system as well as that of the network resources it is designed to protect.
In a later chapter, you will configure facilities that will automate the process of monitoring firewall logs with an emphasis on inducing you to take appropriate corrective action. We hope you are ready to move on ”there is more work to be done.
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere LOG all -- loopback/8 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' LOG all -- anywhere loopback/8 LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP all -- loopback/8 anywhere DROP all -- anywhere loopback/8 LOG all -- 192.168.57.128 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP all -- 192.168.57.128 anywhere LOG all -- linux.demoworld.org anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP all -- linux.demoworld.org anywhere input_ext all -- anywhere linux.demoworld.org input_int all -- anywhere 192.168.57.128 DROP all -- anywhere 192.168.1.255 DROP all -- anywhere 255.255.255.255 DROP all -- anywhere 192.168.57.255 DROP all -- anywhere 255.255.255.255 LOG all -- anywhere linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ACCESS_DENIED_INT ' DROP all -- anywhere linux.demoworld.org LOG all -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ILLEGAL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere \ tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere forward_ext all -- anywhere anywhere forward_int all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ILLEGAL-ROUTING ' DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere \ state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-FORWARD-ERROR ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere LOG icmp -- anywhere anywhere icmp time-exceeded \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-TRACEROUTE-ATTEMPT ' ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp port-unreachable ACCEPT icmp -- anywhere anywhere \ icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere \ icmp network-prohibited ACCEPT icmp -- anywhere anywhere icmp host-prohibited ACCEPT icmp -- anywhere anywhere \ icmp communication-prohibited DROP icmp -- anywhere anywhere \ icmp destination-unreachable ACCEPT all -- anywhere anywhere \ state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-OUTPUT-ERROR ' Chain forward_dmz (0 references) target prot opt source destination LOG all -- 192.168.1.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.1.0/24 anywhere LOG all -- 192.168.57.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.57.0/24 anywhere LOG all -- anywhere 192.168.57.128 LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP all -- anywhere 192.168.57.128 LOG all -- anywhere linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP all -- anywhere linux.demoworld.org ACCEPT icmp -- anywhere anywhere state RELATED icmp \ destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state \ RELATED,ESTABLISHED LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain forward_ext (1 references) target prot opt source destination LOG all -- 192.168.57.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.57.0/24 anywhere LOG all -- anywhere 192.168.57.128 LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP all -- anywhere 192.168.57.128 ACCEPT icmp -- anywhere anywhere state RELATED \ icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain forward_int (1 references) target prot opt source destination LOG all -- 192.168.1.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.1.0/24 anywhere LOG all -- anywhere linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP all -- anywhere linux.demoworld.org ACCEPT icmp -- anywhere anywhere state RELATED icmp \ destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state \ RELATED,ESTABLISHED LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain input_dmz (0 references) target prot opt source destination LOG all -- 192.168.1.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.1.0/24 anywhere LOG all -- 192.168.57.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.57.0/24 anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp type 2 LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP icmp -- anywhere anywhere reject_func tcp -- anywhere anywhere tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state \ ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state \ ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT udp -- frodo.demoworld.org anywhere state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 DROP udp -- anywhere anywhere udp dpt:ssh DROP udp -- anywhere anywhere udp dpt:bootpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:x11 ACCEPT udp -- anywhere anywhere state \ RELATED,ESTABLISHED udp dpts:1024:65535 LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain input_ext (1 references) target prot opt source destination LOG all -- 192.168.57.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.57.0/24 anywhere LOG icmp -- 192.168.1.0/24 anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-ACCEPT-SOURCEQUENCH ' ACCEPT icmp -- 192.168.1.0/24 anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp type \ 2 LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP icmp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp \ dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED tcp dpt:http LOG tcp -- anywhere anywhere tcp \ dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED tcp dpt:https LOG tcp -- anywhere anywhere tcp dpt:smtp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED tcp dpt:smtp LOG tcp -- anywhere anywhere tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ NEW,RELATED,ESTABLISHED tcp dpt:ssh reject_func tcp -- anywhere anywhere tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state \ ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state \ ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT udp -- frodo.demoworld.org anywhere state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 DROP udp -- anywhere anywhere udp dpt:ssh DROP udp -- anywhere anywhere udp dpt:bootpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:x11 ACCEPT udp -- anywhere anywhere state \ RELATED,ESTABLISHED udp dpts:1024:65535 ACCEPT udp -- anywhere anywhere state ESTABLISHED \ udp dpts:61000:65095 LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain input_int (1 references) target prot opt source destination LOG all -- 192.168.1.0/24 anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state \ RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG icmp -- anywhere anywhere icmp type 2 LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP icmp -- anywhere anywhere reject_func tcp -- anywhere anywhere tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT tcp -- anywhere anywhere state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state ESTABLISHED \ tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state ESTABLISHED \ tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT udp -- frodo.demoworld.org anywhere state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 ACCEPT udp -- anywhere anywhere state \ RELATED,ESTABLISHED udp dpts:1024:65535 LOG tcp -- anywhere anywhere tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp redirect LOG \ evel warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ timestamp-request LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG icmp -- anywhere anywhere icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG udp -- anywhere anywhere LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG all -- anywhere anywhere state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP all -- anywhere anywhere Chain reject_func (3 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with \ tcp-reset REJECT udp -- anywhere anywhere reject-with \ icmp-port-unreachable REJECT all -- anywhere anywhere reject-with \ icmp-proto-unreachable