Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Antuan19792020-07-23 16:54:57
iptables
Antuan1979, 2020-07-23 16:54:57

Can you critique the iptables rules?

Good afternoon!
I'm learning IPTABLES. I want constructive criticism according to the above rules (home server that uses Samba and CUPS. SSH connection from one computer):
*filter
:INPUT DROP [1082:114493]
:FORWARD DROP [0:0]
:OUTPUT DROP [34:1780 ]
# Allow lo
-A INPUT -i lo -j ACCEPT
# Drop packets with status INVALID
-A INPUT -m state --state INVALID -j DROP
# Allow ssh connection (port 1212 changed from 22) from a specific mac address.
-A INPUT -m mac --mac-source 00:00:00:00:00:01 -p tcp -m multiport --port 1212 -j ACCEPT
# apt
-A INPUT -p tcp -m multiport --port 80 ,53,32768:61000 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --port 80,53,32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --port 80,53,32768:61000 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m multiport --port 80,53,32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
# Samba
-A INPUT -s 192.168. 14.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.14.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.14.0/24 - p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.14.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
# CUPS
-A INPUT -s 192.168.14.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -s 192.168.14.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
COMMIT

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2020-07-24
@Antuan1979

There is something odd about ssh.
If the server is exposed directly to the Internet, then there is no point in --mac-source when accessed from outside.
If the server is on the local network and access from the outside is only through the router, then it is not clear why ssh on a non-standard port, because for access from the outside on the router, port forwarding is still required.
Further, Samba and CUPS will not work, because only INPUT is allowed, and OUTPUT is DROP by default. In general, dropping OUTPUT by default is not the best idea, IMHO. Unless we were talking about a computer in the dungeons of the special services :)

Similar questions
W
wutiarn2014-03-28 17:44:38
How to redirect traffic from OpenVPN server to Tor? 0Reply
T
Timur Gromov2016-05-23 23:26:32
How to deny outgoing connections to port 80 on PCs connected to a PPTPD based VPN in Ubuntu Server? 1Reply
I
icell762022-01-10 22:02:26
How to reject a connection with 10 or more TTL 58 requests? 2Reply
O
Oleg3652018-11-20 14:28:23
How to block all tcp traffic on port 80 in iptables except for ip 1.1.1.1/32 for example? 1Reply
E
Everal2018-11-21 20:44:46
Tail + grep + uniq how to combine? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question