firewalling...

alteridentity at yahoo.com alteridentity at yahoo.com
Sun Oct 7 10:41:08 PDT 2001


Dude,

This rocks. I'm game, I'm working with firewalling now (not under LFS,
unfortunately).

Let me digest this and I will offer some commentary.

Thanks!

James



On  7 Oct, Ian Molton wrote:
> Anyone want to discuss firewalling? I find a good way to learn stuff is to
> discuss it, and I want to learn this...
> 
> so, heres my script... discuss?
> 
> #!/bin/sh
> 
> IPTABLES="/usr/local/sbin/iptables"
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> 
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
> 
> $IPTABLES -F
> $IPTABLES -t nat -F
> 
> $IPTABLES -X
> $IPTABLES -t nat -X
> 
> #-------------------------------------------------
> 
> /sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc
> 
> $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> # A 'logging' /dev/null */
> $IPTABLES -N log_and_drop
> $IPTABLES -A log_and_drop -p udp --sport 138 -j DROP
> $IPTABLES -A log_and_drop -p udp --sport 631 -j DROP
> $IPTABLES -A log_and_drop -j LOG --log-prefix "Firewall:"
> $IPTABLES -A log_and_drop -j DROP
> 
> # Protect us from source routed packets */
> $IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j log_and_drop
> $IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8     -j log_and_drop
> $IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12  -j log_and_drop
> 
> # Allow all on loopback, and icmp in general */
> $IPTABLES -A INPUT -i lo -p all -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> 
> # Enable masquerading
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Some select services */
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT
> 
> # Allow DNS replies in
> $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
> #$IPTABLES -A INPUT -p tcp --sport 20 -j ACCEPT
> 
> # Dont accept connections from outside */
> $IPTABLES -A INPUT -p tcp ! --syn -j ACCEPT
> 
> # Dump anything that wasnt accepted into the log */
> $IPTABLES -A INPUT -p icmp -j log_and_drop
> $IPTABLES -A INPUT -p tcp  -j log_and_drop
> $IPTABLES -A INPUT -p udp  -j log_and_drop


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list