Re: Where to store iptables script

[Marco van Putten <marco@el-diablo.nl>]

Hey Jorge,

Jacob Friis Larsen schreef:

> By the help of http://iptables-script.dk/ I have created the script 
> below.
> Where should I store it?


You can put it in /etc/network/if-up.d
That way it starts as soon as the interface comes up.

> And does it look ok?


Looks OK for basic firewalling. You could add a rule to log the rejected 
packets.

> Thanks, Jacob
>
>
> #!/bin/sh
>
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
>
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> #localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> iptables -A INPUT -j ACCEPT -p tcp --dport 993
>
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward

Check out the debian-firewall list also. It might be helpfull too.

Bye,
Marco.