Re: questions on iptables

John Conover Sat, 24 Dec 2022 21:47:02 -0800

John Conover writes:
> =?UTF-8?B?UGlwZXLjgb/jgYvjgZM=?= writes:
> > 
> > sudo /usr/sbin/iptables -F
> > sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> > sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT  # my server
> > public IP
> > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP
> >
> 
> iptables -F
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
> iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
> iptables-save > /etc/iptables/rules.v4
> 
> ip6tables -F 
> ip6tables -P INPUT ACCEPT
> ip6tables -P FORWARD ACCEPT
> ip6tables -P OUTPUT ACCEPT
> ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
> ip6tables -A INPUT -i lo -j ACCEPT
> ip6tables -A INPUT -p tcp -âdport 22 -j ACCEPT
> ip6tables -A INPUT -p tcp -âdport 80 -j ACCEPT
> ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
> ip6tables-save > /etc/iptables/rules.v6
> 
> And, look in /etc/iptables to make sure, and reboot; then check for
> outbound connections with a browser. (Note how icmp is handled-it is
> required.)
>


Sorry, cut from my machine docs. The two ipv6 statement should
obviously be:

ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT

Also, if you have root access on another machine, for assurance:

    nmap -4 -Pn -sS -v -v IPV4_ADDRESS
    nmap -4 -Pn -sU -v -v IPV4_ADDRESS
    nmap -6 -Pn -sS -v -v IPV6_ADDRESS
    nmap -6 -Pn -sU -v -v IPV6_ADDRESS

will take a lot of time to run, and should only find the two open
ports.

    John

--


John Conover, cono...@panix.com, http://www.johncon.com/

Re: questions on iptables

Reply via email to