Open Source Security Tools : Practical Guide to Security Applications part 10. Few frontline system administrators can afford to spend all day worrying about security. But in this age of widespread virus infections, worms, and digital attacks, no one can afford to neglect network defenses. Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. | Page 69 Wednesday June 23 2004 2 59 PM Security Business Processes 69 using FTP and other nonessential programs. The all-zero IP address is shorthand for saying any address. iptables -A FORWARD -m multiport -p tcp -i eth0 -d --dports www smtp --syn -j ACCEPT 9. You need to allow certain incoming UDP packets. UDP is used for DNS and if you block that your users won t be able to resolve addresses. Because they don t have a state like TCP packets you can t rely on checking the SYN or ACK flags. You want to allow UDP only on port 53 so you specify domain a built-in variable for port 52 as the only allowable port. You do that with these statements. iptables -A FORWARD -m multiport -p udp -i eth0 -d 24 --dports domain -j ACCEPT iptables -A FORWARD -m multiport -p udp -i eth0 -s 24 --sports domain -j ACCEPT iptables -A FORWARD -m multiport -p udp -i ethl -d --dports domain -j ACCEPT iptables -A FORWARD -m multiport -p udp -i ethl -s --sports domain -j ACCEPT 10. The first two statements allow the incoming UDP datagrams and the second two allow the outbound connections. You also want to do this for ICMP packets. These are the network information packets discussed in Chapter 2. You want to allow all types of internal ICMP outwards but only certain types such as echo-reply inwards. This can be accomplished with the following statements. iptables -A FORWARD -m multiport -p icmp -I eth0 -d 24 --dports 0 3 11 -j ACCEPT iptables -A FORWARD -m multiport -p icmp -I eth1 -d --dports 8 3 11 -j ACCEPT 11. Finally you want to set up logging so you can look at the logs to see what is being dropped. You will want to view the logs from time to time even if there isn t a problem just to get an idea of the kinds of traffic being dropped. If you see dropped packets from the same network or address repeatedly you might be being attacked. There is one statement to log each kind of traffic. iptables -A FORWARD