Some questions and improvements about iptables-boilerplate HOT 5 CLOSED

hello,

@1: actually yes and no. if i define some rules like black or whitelisted ips, then i KNOW everything with that source ips is ok or hostile, so i either allow anything or block anything. so i have no reason for further checks. same is true for custom rules. i am not 100% sure on opening ports. i have to think about this - thanks for the hint.

@2: not sure about this, have to investigate about this one too.

@3: this not a dulicate. on lines 66-68 i define a chain and apply some rules to the chain. on line 146 i push the packets to the chain. (think of defining a function and calling it later)

@4: i cant see a reason to log martian packets. i dont gain usefull information by storing packets with a bogus source ip. e.g. i cant analyze the logs and blacklist ips (because they are not the real ip). if i would log them, they just eat up disc space or even worse fill up the entire disk and take the whole host down (flooding). this is why i limit logging on portscans and invalid packets as well.

@5: i think about that too, when i rearange the execution order (see answer 1). but you can uncomment line 96 if you dont want icmp. i happen to like my hosts pingable :)

@6: no i dont think you have to restart another service, not 100% sure thou.

generally: its a boilerplate, no full blown firewall or a service or a deamon. boilerplate means i copy this to every host during setup, but i change the script if i need to. there ist no way to write a fw-script that is good for all hosts or usecases. think of it as a blueprint with sane defaults, but its absolutly ok to add or delete stuff.

from iptables-boilerplate.

@3: ok, I see, thank you.
@4: I understand your point of view. Need to think about it.
@5: me too! But I fear ICMP flood. That's why I think that we need a limit for echo-requests.

I searched a lot on the web, and your boilerplate is clearly the best for me. Well thought out, well structured and documented. I analysed it, to be sure that everything is inside (and more specifically: security against attacks).

from iptables-boilerplate.

@bmaeser : Can you update your script for Ubuntu 16.04 ?

from iptables-boilerplate.

yes, its in my pipeline to port this project to systemd (among other things, like splitting it up into ipv4 and ipv6 settings). the problem is, i havent had much time lately and i guess it will be at least a couple more weeks till i get to it.

i suggest using ufw on ubuntu in the meantime.

from iptables-boilerplate.

Thank you very much. I'm waiting for the next update :D

from iptables-boilerplate.