Re: Portsentry tcpd and iptables question
Comments please - it seems to work but there may be obviuos gotchas I need
to be aware of.
Thanks.
#!/bin/sh
#Be secure, ish
PATH=/sbin:$PATH; export PATH
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
hostname=enterprise
any="0.0.0.0/0.0.0.0"
#Flush things
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -N DLOG
# anti-spoofing rule
iptables -A block -m state --state INVALID -j DLOG
#Continuations
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow services on lo in entirety
#Without this Squirrelmail can't authenticate so not sure what it does.
iptables -A block -s 127.0.0.1/32 -i lo -j ACCEPT
#Allow LAN on eth0 in entirety
iptables -A block -s 192.168.0.0/16 -i eth0 -j ACCEPT
#Open ports
iptables -A block -p tcp --destination-port 22 -j ACCEPT
iptables -A block -p tcp --destination-port 80 -j ACCEPT
iptables -A block -p udp --destination-port 58800 -j ACCEPT
#identd
iptables -A block -p tcp --destination-port 113 -j REJECT \
--reject-with tcp-reset
#Catch-all
iptables -A block -j DLOG
#The DLOG (drop+log) chain
iptables -A DLOG -j LOG --log-prefix="catch-all " --log-tcp-options \
--log-ip-options
iptables -A DLOG -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
## set up masquerading as well
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Reply to: