On Thursday 16 November 2006 15:19, Nangus Garba wrote: > # I think that a set of rules that looks something like this would be > easier to maintain > # there are 500 little tricks that I could add if I was home and had my > notes
Hey! Thanks for your help - please send some more when you get home. :) > iptables -P INPUT DROP > iptables -A INPUT -i lo -j ACCEPT The "! $iface" is meant to catch incoming packets on an external iface which have their IP address spoofed to 127.0.0.1 type of thing. Will "lo" achieve the same thing? > #this will take care of all interfaces by default > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # maybe you should just use one interface for portage to connect through > such as eth0 Good point. > # might also be a good plan to use the mac address instead of the ip it is > a little harder to spoof Could I use both in a single rule? > #Allow rsync connections from study1 to update portage > iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d > 192.168.0.5 -j ACCEPT > #Allow tcp connections from study1 to download distfiles > iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d > 192.168.0.5 -j ACCEPT > # these rules are kinda taken car of by: iptables -P INPUT DROP Yes, in their current format they are, but I had previously set them up to REJECT with different messages > # iptables -A INPUT -p tcp -i ${x} -j DROP > # iptables -A INPUT -p udp -i ${x} -j DROP Keep 'em coming! :) -- Regards, Mick
pgpj0yIdRThq7.pgp
Description: PGP signature