[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] are these iptables modification secure

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Olivier Seubert <oli4_seubert@xxxxxxxx>
  • Date: Sun, 11 Feb 2007 18:52:27 +0100 (CET)
  • Delivery-date: Mon, 12 Feb 2007 02:42:31 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=Message-ID:X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZZ6qNheQMLHzU4lkMiDZkeIpUYcWixac9WIxUuPvVpLZ+u0jZjJbW76JKywhhdDdeE5TUnsSQ61+muSMgrLCD/6GCHC2JlK49H1OU92dej6p+Sik/IXZwIl6b/+zPzqEu9D7VLFXNLIkUJzMcV9entIw2z7UnaTSCjtRhlWJ8Ew= ;
  • List-id: Xen user discussion <xen-users.lists.xensource.com>


I have slightely modified the iptable boot script for XEN
However I'm totally unsure if it's secure.

The "#NEW" Lines are the modifications of LFS' recommended
boot script.

Do they mean, that every single packet which is forwarded through peth0
to eth0 is accepted.
I liked the configuration that only answers to established connections
are let through.

Thanks for your help



# Begin $rc_base/rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
modprobe ipt_physdev

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don¹t send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

#NEW (following 2 lines)
iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out '!' peth0  -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in '!' peth0  -j ACCEPT

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -i eth0 -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables

Was Sie schon immer wissen wollten aber nie zu Fragen trauten? Yahoo! Clever hilft Ihnen.
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.