Re: iptables filter rules Question??
Incoming from fbrian@nac.net:
>
> This is my rule set:
>
> 1 iptables -P INPUT DROP
> 2 iptables -A INPUT -p icmp -j ACCEPT
> 3 iptables -A INPUT -i lo -j ACCEPT
> 4 iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
> 5 iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 6 iptables -A INPUT -i ppp0 -p tcp -j REJECT --reject-with tcp-reset
> 7 iptables -A INPUT -i ppp0 -p udp -j REJECT
> 8 iptables -A INPUT -i ppp0 -j REJECT --reject-with icmp-proto-unreachable
>
> 9 iptables -P FORWARD DROP
> 10 iptables -P OUTPUT ACCEPT
>
> *********************************************************
>
> 1.) Line number five does not work, iptables complains when I issue that
> rule.
I use exactly the same rule here:
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 2.) The functionality I want from my firewall rule set is:
>
> Deny all incoming traffic except, port 22 ssh and allow pings
>
> Allow all outgoing traffic, as well as, it should be able to come
> back in if it originated from my box
>
> The above rule set did work when I had an ethernet connection on a
> different network, but when I changed to dialup, I have problems getting
> these to work.
My situation is close, the exception being incoming ssh. I do,
however, allow incoming identd (handled by fauxident):
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -I INPUT -i ppp0 -m tcp -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j LOG
iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: