Re: RHEL/SL and iptables

Wed, 20 Apr 2011 12:49:38 -0700 

Le 20/04/2011 02:26, Tom H a écrit :

On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<r...@anl.gov>  wrote:


There is a sourceforge project called firestarter which has a rather
nice script that does lots of iptables config and provides a gui monitor
of firewall activity.


You could also try APF:
http://www.rfxn.com/projects/advanced-policy-firewall/
(I've never used it so this isn't an experienced-based recommendation
but I've installed it on a test box to check out its rules and they
looked good.)

Shorewall's also an option that you could consider. It's another blind
recommendation though; I've never even seen its default rules...



Thanks very much for the numerous answers. I read through a pile of 
documentation, and figured out the most simple solution was a 
handcrafted iptables script from scratch. Here goes :


--8<-------------------------------
#!/bin/sh
##/root/bin/firewall-start
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
$IPT -A INPUT -j REJECT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
/sbin/service iptables save
/sbin/service iptables condrestart
--8<-------------------------------


Works like a charm so far. Logging (near the end of the script) tells me 
whenever I'm locking myself out of something.


Cheers from South France,

Niki
--
Microlinux - Solutions informatiques 100% Linux et logiciels libres
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32






















					Reply via email to