Firewalling (sorry, I didnt see this show up so Im posting again)

Chris Lingard chris at
Mon Oct 8 01:46:00 PDT 2001

Ian Molton wrote:

Sorry to have missed your earlier discussion about the fire wall.  I run 
the script below; it is not very original but I think it works.

I like mine better because it only allows ssh type logins if you know my 
user name and pass word.  It allows ping too, but that is all. Please feel 
free to copy any parts of it.

bash-2.05$ more masquerade

# activate IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# be verbose on dynamic ip-adresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification - too many routers are still 
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Allow ssh to access the box
iptables -v -A INPUT  -p tcp --dport 22                   -j ACCEPT
iptables -v -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j 

#Alternativly, if you want to ping your box to ensure it's still alive:
iptables -v -A INPUT  -p icmp -m icmp --icmp-type echo-request       -j 
iptables -v -A OUTPUT -p icmp -m icmp --icmp-type echo-reply         -j 

# Create chain which blocks new connections, except if coming from inside.
iptables -v -N block
iptables -v -A block -m state --state ESTABLISHED,RELATED            -j 
iptables -v -A block -m state --state NEW -i ! ppp+                  -j 
iptables -v -A block                                                -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -v -A INPUT                                                 -j 
iptables -v -A FORWARD                                               -j 

#  Turn on IP forwarding
iptables -v  -t  nat -A POSTROUTING  -o ppp+                -j  MASQUERADE

# set a sane policy
iptables -v -P INPUT       DROP
iptables -v -P FORWARD     DROP
iptables -v -P OUTPUT      DROP


Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list