top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Help with stateless firewall

+1 vote
368 views

I am working with a stateless firewall to help keep up with DoS and a state flood. I have a few doubts about my setup:

a.) When allowing web traffic, is it necessary to allow port range 1000:65535 ? i saw that due to this rule sending packets to those ports directly respond with a REJECT instead of a DROP which is preferred. Any
work around and still have a stateless setup?

b.) What is needed to safely have a default OUTPUT DROP, apparently as soon as i change it to that iam unable to access it via ssh, even if I add a rule like this: /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

#!/bin/bash

/sbin/iptables -F
/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#ICMP IN
/sbin/iptables -A INPUT -p icmp -s 178.174.50.29/24 -j ACCEPT

#ICMP IN (TRACEROUTE)
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

#ICMP OUT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

#DNS RESOLVERS
/sbin/iptables -A INPUT -s 63.15.64.91 -j ACCEPT
/sbin/iptables -A INPUT -s 63.15.64.92 -j ACCEPT

#SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#WEB
/sbin/iptables -A INPUT -p tcp --dport 1000:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
posted Aug 12, 2013 by Meenal Mishra

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

What is a "state flood"? Why do you think a stateless firewall is superior, or even desirable?

a.) When allowing web traffic, is it neecessary to allow port range 1000:65535 ?

Regardless of the inbound port or protocol, for most, you *must* accept return traffic, or the connection cannot be made.

b.) What is needed to safely have a default OUTPUT DROP,

Rule of Thumb: If you need help to make it work, you do not need OUTPUT filtering. Just say No to DROP. :)

Why do you want OUTPUT DROP? What are you defending against? Generally a stronger and more effective defense against hostile system users would be something like SELinux. Another good idea:
don't give untrusted people shell access.

answer Aug 12, 2013 by anonymous
Similar Questions
0 votes

My configuration is following

SIP client <--> stateless proxy <--> SIP server

My doubt is that if SIP can work with stateless proxy though it will always work statefull proxy.

+1 vote

I'm looking at a strange phenomenon that occurs on an iptables firewall. There is a DNAT rule configured that maps a public IP to a private one where a web serve is listening. Normal request operate as expected that is the destination ip is modified to the private one when the request arrives at the firewall and on the response packet the private ip is mapped back to the public one.
What I noticed though is that for some response packets the source ip is *not* mapped back to the public ip and instead tcpdump shows that the packets are sent out with the private source ip. The thing all these packets have in common is that they have the RST flag set.

What could be the reason for this? Is there some particular iptables behavior that could explain this?

+1 vote

Recent versions of the Linux kernel and the libnftnl library define nft expression types with the names "match" and "target". However, I could not find any reference to these expression types in the code of the nft user space utility, but only in the code for iptables.

Is it possible to access iptables matches and targets from rules defined with nft, or is this not intended?

+1 vote

I wanted to make a white list using the settings below.

iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT
iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT
iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable

So the boxes with the MACs specified are exempt from blocking. The domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other domains using or something, which makes the IPTable block the loading of the website to complete.

How do I deal with that in the best way? I don't want to look up everything they pull in and white list that as well. Also it might change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

+2 votes

I have some issue with module (owner) in iptables v1.4.14

Current rule fails:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner usergroup -j DNAT --to-destination x.x.x.x:80;
I tried to use numeric gid, it failed too..

But this rule works fine:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --uid-owner user -j DNAT --to-destination x.x.x.x:80;

Is it a BUG or I am missing something?

...