There is a really, really outstanding resource on-line at: http://www.sns.ias.edu/~jns/security/iptables/rules.html -- rules more for a client than a server, but very explicit and educational
Hope this helps, Marc On Wed, 2003-09-17 at 11:13, Brad Davidson wrote: > I used to hang out on the LARTC list, so here's my analysis. Quite > possibly flawed. You may want to ask the LARTC guys, they eat stuff like > this for breakfast. > > Bob Crandell wrote: > > Here is rc.iptables: > > #=================================== > > #/bin/sh > > > > LOOPNET="127.0.0.0/8" > > LOCALNET="216.239.175.0/24" > > > > echo " Clearing existing configuration." > > /usr/sbin/iptables -P INPUT ACCEPT > > /usr/sbin/iptables -F INPUT > > /usr/sbin/iptables -P OUTPUT ACCEPT > > /usr/sbin/iptables -F OUTPUT > > /usr/sbin/iptables -P FORWARD ACCEPT > > /usr/sbin/iptables -F FORWARD > > /usr/sbin/iptables -F -t nat > > /usr/sbin/iptables -F logdrop > > /usr/sbin/iptables -X logdrop > > > > echo "Create Drop Chain." > > /usr/sbin/iptables -N logdrop > > /usr/sbin/iptables -A logdrop -j LOG --log-level info > > /usr/sbin/iptables -A logdrop -j DROP > > > > echo "INPUT Rule sets." > > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > Accept everything from your loopback addy > > /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT > Accept everything from the adapter > > /usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop > Drop things from loopback network. Except you allready jumped to ACCEPT > for everything via 'lo', so this is never matched > > /usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop > Drop things to loopback network. Except you allready jumped to ACCEPT > for everything via 'lo', so this is never matched > > /usr/sbin/iptables -A INPUT -i eth0 -s $LOCALNET -j ACCEPT > Accept everything from the localnet network. Except you already accepted > things from eth0, so this is never matched > > > > echo "Redirect Web traffic through Dan's Guardian" > > /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT > > --to-port 8080 > > #=================================== > > > > This works, but it lets the whole world in. Not good. > Indeed it does. > > Here's what I would do: > > OK_NET1="216.239.175.0/24" > OK_NET2="64.28.48.0/24" > OK_HOST1="64.112.226.198" > > #flush rules before setting policy > #also, set a default deny rule. Safer that way... > iptables -F INPUT > iptables -P INPUT DROP > iptables -F FORWARD > iptables -P FORWARD DROP > iptables -F OUTPUT > iptables -P OUTPUT ACCEPT > iptables -F -t nat > iptables -F sort > iptables -X sort > > iptables -N sort > #accept from the OK hosts and nets > iptables -A sort -s $OK_NET1 -j ACCEPT > iptables -A sort -s $OK_NET2 -j ACCEPT > iptables -A sort -s $OK_HOST1 -j ACCEPT > #everything else is logged and then dropped > iptables -A sort -j LOG --log-level info > iptables -A sort -j DROP > > #jump to the sorting rule from input and forward. > #output isn't really worth worrying about IMHO - the > #unwanted hosts don't get in, so why would there > #be anything going back to them > iptables -A INPUT -j sort > iptables -A FORWARD -j sort > > #Finally, we add the shim rule: > #Sends all inbound port 81 traffic over to 8080 > iptables -t nat -A PREROUTING -i eth0 -p tcp \ > --dport 81 -j REDIRECT --to-port 8080 > > > See how that works. Or maybe I missed the mark entirely. Lemme know. > > -Brad > > (PS - please forgive me if a dupe of this message is ever posted to the > list. I accidentally sent the original message from the wrong alias...) > > _______________________________________________ > EuG-LUG mailing list > [EMAIL PROTECTED] > http://mailman.efn.org/cgi-bin/listinfo/eug-lug > _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
