Re: Yet another question on iptables, firewall and, or net-filter

On Mon, 30 Oct 2006 19:23:31 +0530, in comp.os.linux.networking "Balwinder S \"bsd\" Dheeman" <bsd.SANSPAM@xxxxxxxxxxxxxxxxx> wrote:
If I set all my default policies to *DROP* for INPUT, FORWARD and, or
OUTPUT chains, do I still need to add the following rules?

1. Individual rules will allow you to keep counts for special
cases. You can see the counts with:
iptables -vL

2. Individual rules which use -j DROP near the beginning of the
rules set can speed up the filtering, and also simplify the
rule set (once you've dropped a packet, later rules don't have
to consider it).

## Anti-spoofing
iptables -A INPUT -m state --state INVALID -j DROP

## Watch for a basic packet crafting vulnerabilities, these are totally
## invalid and are not filtered with --state INVALID
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

What is your reference for the statement in the above comments that
these are "not filtered with --state INVALID"?

## new tcp packet (not established) and no syn bit... must be trash
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

## drop reserved addresses, not valid on the open Internet
iptables -A INPUT -i ${WIFACE} -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i ${WIFACE} -s 240.0.0.0/5 -j DROP

The above said WIFACE is interface (eth1) on the WAN side of this machine.

Thank you and thanks in anticipation for your valuable comments and, or
suggestions.

You're welcome.

--
Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx> (lose the Q's)
.