Hi Chris, On Fri, Apr 18, 2008 at 11:51:19AM +0100, Chris Rowson wrote: > Just a quicky. I've been mucking around with iptables for a while, but I'm > still a bit shaky with them. Would anyone mind checking this over for me > please?
Looks pretty good. I would add RELATED to the ESTABLISHED bit so
that it also works for protocols other than TCP, and I'd put that
line first so that packets exit the firewall sooner (most packets
will match an established or related flow).
So:
echo "Applying firewall rules"
iptables -F
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -j DROP
echo "Rules applied"
You may then want to restrict teh ssh line to SYN packets since if it's
not a SYN it shouldn't have got that far, but that's just being
picky.
> On a side note, I've added a symbolic link called S95firewall to this script
> in /etc/rc2.d/, but it doesn't seem to run this script at startup? Any ideas
> what I'm doing wrong?
Not sure, but I usually prefer to do it from
/etc/network/interfaces:
iface eth0 inet static
address 192.168.194.121
netmask 255.255.255.0
gateway 192.168.194.1
pre-up /etc/iptables.sh
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
signature.asc
Description: Digital signature
-- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.org/UKTeam/
