Re: Where to store iptables script
Hey Jorge,
Jacob Friis Larsen schreef:
By the help of http://iptables-script.dk/ I have created the script
below.
Where should I store it?
You can put it in /etc/network/if-up.d
That way it starts as soon as the interface comes up.
And does it look ok?
Looks OK for basic firewalling. You could add a rule to log the rejected
packets.
Thanks, Jacob
#!/bin/sh
# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Open ports on router for server/services
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 143
iptables -A INPUT -j ACCEPT -p tcp --dport 993
# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Check out the debian-firewall list also. It might be helpfull too.
Bye,
Marco.
Reply to: