pre-configured firewall script at /etc/ppp/ip-up
you may want to consider the following script (or
parts of it) for inclusion in a standard /etc/ppp/ip-up
of the installer
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#where x.x.x.x is the ip of the server in our sources.list
#iptables -A OUTPUT -p tcp -s $PPP_LOCAL -d x.x.x.x -j ACCEPT
iptables -A OUTPUT -p udp -s $PPP_LOCAL -d $DNS1 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $PPP_LOCAL -d $DNS2 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s $PPP_LOCAL --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $PPP_LOCAL --dport 21 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $PPP_LOCAL --dport 1024: -j ACCEPT
#iptables -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
#iptables -A INPUT -p tcp -s x.x.x.x -d $PPP_LOCAL -j ACCEPT
iptables -A INPUT -p udp -d $PPP_LOCAL -s $DNS1 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -d $PPP_LOCAL -s $DNS2 --sport 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp -d $PPP_LOCAL --dport 1024: -j ACCEPT
#iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix " OUTPUT: " --log-level debug --log-uid
iptables -A INPUT -j LOG --log-prefix " INPUT: " --log-level debug --log-uid
Reply to: