Example ldap samba iptable ruleset

From Research
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
#! /bin/sh
# /etc/iptables.bak

# Let's save typing & confusion with variables
IPTABLES=/sbin/iptables

# Flush active rules and custom tables
$IPTABLES --flush
$IPTABLES --delete-chain

# set the defaults so that by-default incoming packets are dropped, unless explicitly allowed;
# for a desktop workstation, we'll let lots of (unpredictable) outgoing packets go freely.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# INBOUND POLICY
# ==============
# of course, accepting loopback is a good idea
$IPTABLES -A INPUT -i lo -j ACCEPT 

# we will permit ping, but rate-limit type 8 to prevent DoS-attack
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

#   (Applies to packets entering our network interface from the network, 
#   and addressed to this host.)

$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP 
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

# ssh incoming, including non-standard port (if needed)
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT 
#$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 222 -j ACCEPT

# samba (smbd and nmbd) ports
$IPTABLES -A INPUT -p udp -m udp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 445 -j ACCEPT

# LDAP incoming query port
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 389 -j ACCEPT

# nagios (5666); monitor time (123), allow snmp (161)
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 5666 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 161 -j ACCEPT

# amanda tape-backups; we reach out and tape things from this machine
$IPTABLES -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 10080 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 10082 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW --dport 10083 -j ACCEPT


# OUTBOUND POLICY
# ===============
# of course, accepting loopback is a good idea
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#   (Applies to packets sent to the network interface from local processes)

$IPTABLES -A OUTPUT -j ACCEPT

Invoke and make these rules effective:

hostname ~ # sh /etc/iptables.bak

Resulting active rules:

hostname ~ # iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5666
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:amanda
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:amandaidx
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:amidxtape

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

REMEMBER! If you like the ruleset, and want it to be in-effect the next time you start iptables (ie after a reboot), then you must:

hostname ~ # rc-update add iptables default
* iptables added to runlevel default

hostname ~ # /etc/init.d/iptables save
* Saving iptables state ...