firewalling...

Ian Molton imolton at clara.net
Sun Oct 7 09:43:11 PDT 2001


Anyone want to discuss firewalling? I find a good way to learn stuff is to
discuss it, and I want to learn this...

so, heres my script... discuss?

#!/bin/sh

IPTABLES="/usr/local/sbin/iptables"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -F
$IPTABLES -t nat -F

$IPTABLES -X
$IPTABLES -t nat -X

#-------------------------------------------------

/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

# A 'logging' /dev/null */
$IPTABLES -N log_and_drop
$IPTABLES -A log_and_drop -p udp --sport 138 -j DROP
$IPTABLES -A log_and_drop -p udp --sport 631 -j DROP
$IPTABLES -A log_and_drop -j LOG --log-prefix "Firewall:"
$IPTABLES -A log_and_drop -j DROP

# Protect us from source routed packets */
$IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j log_and_drop
$IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8     -j log_and_drop
$IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12  -j log_and_drop

# Allow all on loopback, and icmp in general */
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT

# Enable masquerading
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Some select services */
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT

# Allow DNS replies in
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 20 -j ACCEPT

# Dont accept connections from outside */
$IPTABLES -A INPUT -p tcp ! --syn -j ACCEPT

# Dump anything that wasnt accepted into the log */
$IPTABLES -A INPUT -p icmp -j log_and_drop
$IPTABLES -A INPUT -p tcp  -j log_and_drop
$IPTABLES -A INPUT -p udp  -j log_and_drop
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list