Re: [gentoo-user] iptables help

[gabriel]

On Fri, 2003-08-29 at 11:47, Andrew Gaffney wrote:
> I'm trying to create a firewall using iptables. I want it to drop 
> incoming packets except to ports 22, 25, and 80 unless the source 
> address is 192.168.254.x. I'm asking before I do this because I'm 
> accessing the computer remotely right now and I don't want to cut myself 
> off from it. I'm thinking something like:
>
> <snip>
>
> Would either of these get me the desired results?


i'm thinkin' you want:

# policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# accept established connections to save having to go through all of those rules.
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# dns, repeat for each address
iptables -A OUTPUT -o eth0 -p udp -s <YOUR_IP> --sport 1024:65535 -d <DNS_IP> --dport 
53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s <YOUR_IP> --sport 1024:65535 -d <DNS_IP> --dport 
53 -m state --state NEW -j ACCEPT

# outgoing traffic
iptables -A OUTPUT -o eth0 -p tcp -s <YOUR_IP> --sport 1024:65535 --dport 22 -m state 
--state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s <YOUR_IP> --sport 1024:65535 --dport 25 -m state 
--state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s <YOUR_IP> --sport 1024:65535 --dport 80 -m state 
--state NEW -j ACCEPT

# incomming connections
iptables -A INPUT  -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d <YOUR_IP> 
--dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT  -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d <YOUR_IP> 
--dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT  -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d <YOUR_IP> 
--dport 80 -m state --state NEW -j ACCEPT


note the following:
  (a) the chain policy (-P) should always be put at the top.
  (b) the output DROP policy is generally regarded as a little too
      restrictive, but i like it that way...  you may want to use them
      or not.
  (c) this script doesn't do everything, ie. it doesn't disable
      forwarding and check for martains etc.  i would suggest you buy a
      book and get the low-down on iptables to fully understand
      everything about it.
  (d) connection tracking must be available to iptables.  so you should
      either load the module (ip_conntrack), or compile it directly into
      your kernel.


-- 
this is your life and it's ending one minute at a time.
  - tyler Durden, "fight club"


--
[EMAIL PROTECTED] mailing list