[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for comments: iptables script for use on laptops.

Hi,

You have FORWARD policy set to DROP (not by default but by rule) -> you don't need "echo ... /ip_forward"

I don't like to log all what it drop, it can make full a partition and it is not good :)

bye


> Your iptables scares me a bit, do we really have to do all that stuff
> like "echo to /proc/sys/...".  I was a TP professional many years ago
> but since the internet I have become a novice, thus running scared.
>
> My script is simple, and perhaps too simple???? for some 6 PC's.
> I even have FTP/20+21 turned off most of the time, and I question some 
> of the others (put them on due to err-log messages).
>
> ============================================================
>
> #!/bin/sh
> # /opt/sbin/ziptables
> # /etc/init.d/local
> #
>    iptables -t mangle -F              # flush all: mangle,nat,filter
>    iptables -t nat    -F              # flush all: mangle,nat,filter
>    iptables -t filter -F              # flush all: mangle,nat,filter
>    iptables -A INPUT  -j ACCEPT -s 127.0.0.1      # local host
>    iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>    iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
>    iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
>    iptables -A FORWARD -j DROP
> #
> # PASS ICMP TYPE 3 PACKETS (avoid ping, allow nfs)
> # iptables -A INPUT  -j ACCEPT -p icmp -m icmp --icmp-type 3
> # iptables -A OUTPUT -j ACCEPT -p icmp -m icmp --icmp-type 3
> #
> # SSH@22,SMTP@25,HTTP@80,HTTPS@443,RIP@520,IPP@631
> # POP3@110,Portmap@111,Usenet@119
> # Domain@53,BootTP@67+68
> # NFS@2049,MOUNTD@(add "MOUNTD_PORT=33333" to /etc/sysconfig/nfs)
> # FTP@20+21
>
>    iptables -A INPUT  -j ACCEPT -p tcp -m multiport --port
> 20,21,25,37,80,110,111,119,443
>
>    iptables -A OUTPUT -j ACCEPT -p tcp -m multiport --port
> 25,37,80,110,111,119,443
>
>    iptables -A INPUT  -j ACCEPT -p udp -m multiport --port
> 53,67,68,111,520,631
>
>    iptables -A OUTPUT -j ACCEPT -p udp -m multiport --port
> 53,67,68,111,520,631,5353
> #
> # LOG DROP THROUGHS FOR DIAGNOSTICS,  WRITTEN TO /var/log/messages
>    iptables -A INPUT  -j LOG --log-prefix ZZI-
>    iptables -A OUTPUT -j LOG --log-prefix ZZO-
>    iptables -A INPUT  -j DROP
>    iptables -A OUTPUT -j DROP
>    iptables -L
> #
>
Reply to: