Andrew Dacey wrote:
----- Original Message ----- From: "Andrew Gaffney" <[EMAIL PROTECTED]>
To: "Gentoo User" <[EMAIL PROTECTED]>
Sent: Friday, August 29, 2003 12:47 PM
Subject: [gentoo-user] iptables help
I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like:
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP
-or-
iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Would either of these get me the desired results?
I'd be tempted to add a line of
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
That way any traffic you initiate from that box will be able to get back in.
As someone else mentioned, I'd use the option of setting the INPUT policy to
DROP but make sure to set that AFTER you've setup the other rules.
So, it should be:
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP
Correct?
Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that?
-- Andrew Gaffney
-- [EMAIL PROTECTED] mailing list
