Re: How to work with my iptables script
This link was extremely helpful when I started working with iptables.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
--- Jacob Friis Larsen <jfl@list.idg.dk> wrote:
> > Set the default policies *before* flushing the tables.
>
> OK.
>
> >># Open ports on router for server/services
> >>iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> >>iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> >>iptables -A INPUT -j ACCEPT -p tcp --dport 22
> >>iptables -A INPUT -j ACCEPT -p tcp --dport 25
> >>iptables -A INPUT -j ACCEPT -p tcp --dport 80
> >>iptables -A INPUT -j ACCEPT -p tcp --dport 143
> >>iptables -A INPUT -j ACCEPT -p tcp --dport 993
> >
> > By these rules you allow everyone (internal and external networks)
> to
> > use services running on your router. Are these services really
> running
> > on the router?
>
> Yes.
>
> >># STATE RELATED for router
> >>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > I would rather add a rule to accept ESTABLISHED,RELATED traffic in
> the
> > OUTPUT chain and set the default OUTPUT policy to DROP.
>
> Like this?
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> > You should also allow ICMP (at least some types) and REJECT TCP
> traffic
> > (with RST) rather than just DROP it. IMHO.
>
> Like this?
> iptables -A icmp-in -p icmp --icmp-type 0 -j RETURN
> iptables -A icmp-in -p icmp --icmp-type 3 -j RETURN
> iptables -A icmp-in -p icmp --icmp-type 4 -j RETURN
> iptables -A icmp-in -p icmp --icmp-type 8 -j RETURN
> iptables -A icmp-in -p icmp --icmp-type 11 -j RETURN
> iptables -A icmp-in -p icmp --icmp-type 12 -j RETURN
>
> >># Enable forwarding
> >>echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > It is absolutely pointless to enable forwarding, if you drop every
> > packet in the FORWARD chain.
>
> OK.
>
>
> This is my new script:
> # cat myiptables
> #!/bin/sh
>
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # load some modules (if needed)
> #modprobe ip_nat_ftp
> #modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> # Default rules
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
>
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> #iptables -A INPUT -j ACCEPT -p tcp --dport 443
> iptables -A INPUT -j ACCEPT -p tcp --dport 993
>
> # STATE RELATED for router
> #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable forwarding
> #echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> Thanks,
> Jacob
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
=====
-"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity."-Dennis Ritchie
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
Reply to: