[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Where to store iptables script

Hey Jorge,

Jacob Friis Larsen schreef:

By the help of http://iptables-script.dk/ I have created the script below.
Where should I store it?

You can put it in /etc/network/if-up.d
That way it starts as soon as the interface comes up.

And does it look ok?

Looks OK for basic firewalling. You could add a rule to log the rejected packets.

Thanks, Jacob


# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -s -j ACCEPT -p tcp --dport 20
iptables -A INPUT -s -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 143
iptables -A INPUT -j ACCEPT -p tcp --dport 993

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Check out the debian-firewall list also. It might be helpfull too.


Reply to: