I'm hoping that there is someone here with alot more iptables knowledge than me, but that shouldn't be hard at all =D. We've got several locations in The Netherlands, Germany and Belgium that are currently being monitored with Nagios (picked just a handfull for the examples below). We're implementing very strict security policies for desktops, servers and mobile devices. We want to only allow two ports with outbound traffic and a select few inbound. Question. So now the real question that I wanted to ask you is this: Do I have to configure a source IP for outbound traffic? Default = 0.0.0.0/0, but would it be better to just use 127.0.0.1? Would it be any safer to do so? Do I need to add a destination IP (localhost) to the inbound traffic aswell? Basically I don't know the risks of leaving it at 0.0.0.0/ while the packets are already being filtered. See examples below.
FYI: there are strong vpn tunnels between the locations to allow the kind of traffic described below.
Location A - Datacenter with the servers that we're configuring the firewall for
Location B - Netherlands #2
Location C - Germany
Location D - Belgium
Servers from Location A need to access servers at all other locations over port 5666 and port 12489
Servers from Location A need to access storage on location A at port 3260
People from Location A, filtered by subnet, may access the Linux servers on port 22,80,443
People from Location B, filtered by subnet, may access the Linux servers at Location A on port 80,443
People from Location C and Location D may not access the servers.
Current rule set
Code: Select all
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10251:694238]
:Location A - [0:0]
:Location B - [0:0]
:Location C - [0:0]
:Location D - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Location A
-A INPUT -j Location B
-A INPUT -j Location C
-A INPUT -j Location D
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A Location B -s 127.0.0.1 -d <IPRANGE> -p tcp -m tcp -m multiport --dports 5666,12489 -j ACCEPT
-A Location B -s <IPRANGE_1> -p tcp -m tcp -m multiport --dports 80,443,5666 -j ACCEPT
-A Location B -s 127.0.0.1 -d <IPRANGE> -p tcp -m tcp -m multiport --dports 5666,12489 -j ACCEPT
-A Location B -s <IPRANGE_2> -p tcp -m tcp -m multiport --dports 80,443,5666 -j ACCEPT
-A Location A -s <IPRANGE> -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A Location A -s <IPADDRESS> -p tcp -m tcp --dport 3260 -j ACCEPT
-A Location A -s <IPADDRESS> -p tcp -m tcp --sport 3260 -j ACCEPT
And so on and so on.
Kind regards,
Dennis Lans
a Windows sytemadmin & a very junior linux person