iptables configuration
Posted: Wed Jan 11, 2017 12:13 pmHi!
As a proof of concept I'm configuring the firewall (iptables) of my Lacie NAS and I think It could be interesting if you want to discuss my configuration.
I'm currently using the following services:
So here we have my proposed iptables configuration:
on /etc/sysconfig/nfs I should write the following configuration:
I've not implemented this config though because I think it's unfinished.. For instance, I don't think transmission would work with these rules.
What do you think?
P.S: The idea of configuring iptables came after seeing how Lacie turned on in the middle of the night. I don't think NSA or Snowden are interested on my humble hard disk but maybe my TV or my IPTV or my shitty router is sending packets and awaking up my NAS.
As a proof of concept I'm configuring the firewall (iptables) of my Lacie NAS and I think It could be interesting if you want to discuss my configuration.
I'm currently using the following services:
- http Server (the config page) (tcp/80)
- Samba server (137,138,139,445)
- NFS server (tcp/udp/111 , tcp/udp/2049)
- Mini DLNA Server (tcp/8200 udp/1900)
- Transmission (http is tcp/9091)
- NTP Server (udp/123)
- SSH server (tcp/22)
So here we have my proposed iptables configuration:
- Code: Select all
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allows http connections
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
# Allow transmission
-A INPUT -p tcp -m state --state NEW --dport 9091 -j ACCEPT
# Allow Samba server to work (netbios)
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -p udp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
#Allow nfs to work
-A INPUT -p udp --dport 111 -j ACCEPT
-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 2049 -j ACCEPT
-A INPUT -p tcp --dport 2049 -j ACCEPT
# nfs ports configured on /etc/sysconfig/nfs
-A INPUT -p tcp --dport 32803 -j ACCEPT
-A INPUT -p udp --dport 32769 -j ACCEPT
-A INPUT -p tcp --dport 892 -j ACCEPT
-A INPUT -p udp --dport 892 -j ACCEPT
-A INPUT -p tcp --dport 875 -j ACCEPT
-A INPUT -p udp --dport 875 -j ACCEPT
-A INPUT -p tcp --dport 662 -j ACCEPT
-A INPUT -p udp --dport 662 -j ACCEPT
#Allow minidlna to work
-A INPUT -p tcp --dport 8200 -j ACCEPT
-A INPUT -p udp --dport 1900 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
on /etc/sysconfig/nfs I should write the following configuration:
- Code: Select all
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
I've not implemented this config though because I think it's unfinished.. For instance, I don't think transmission would work with these rules.
What do you think?
P.S: The idea of configuring iptables came after seeing how Lacie turned on in the middle of the night. I don't think NSA or Snowden are interested on my humble hard disk but maybe my TV or my IPTV or my shitty router is sending packets and awaking up my NAS.