On Thu, Aug 28, 2003 at 04:55:42PM -0500, Scot Jenkins wrote: > Personally, I've tried alot of the GUI frontends to iptables and > usually ended up just coding the ruleset by hand. YMMV. I find this to be quite true as well. Most firewalls are quite simple, especially with iptables state-based filtering. Here's an exceedingly simple example: #!/bin/sh # Set up default policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow all local loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # First, "whitelist" -- accept established,related connections. Fastest # processing of incoming packets. Because we accept immediately, # tracking bandwidth usage by port doesn't work, but who cares? iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Next, incoming "blacklists". e.g. modem block from attbi iptables -N blacklist iptables -A blacklist -s bad.ip.address -j DROP # Drop back TCP packets iptables -A blacklist -p tcp ! -syn -m state --state NEW -j LOG \ --log-level INFO --log-prefix "IPT New not syn:" iptables -A blacklist -p tcp ! -syn -m state --state NEW -j DROP # Add blacklist to INPUT iptables -A INPUT -i eth0 -j blacklist # Hosting these services: ssh, http, https, auth, ftp iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT # Remote access iptables -A INPUT -i eth0 -p tcp --dport auth -j ACCEPT # For identd calls iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT # Web iptables -A INPUT -i eth0 -p tcp --dport https -j ACCEPT # Secure web iptables -A INPUT -i eth0 -p tcp --dport imap -j ACCEPT # Email # You don't want to regulate outgoing traffic, do you? iptables -A OUTPUT -o eth0 -j ACCEPT # If you want to log packets before you drop them via default policy, # uncomment these: #iptables -A INPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:" #iptables -A OUTPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:" # Done. -- Chad Walstrom <chewie at wookimus.net> http://www.wookimus.net/ assert(expired(knowledge)); /* core dump */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20030828/c004e12f/attachment.pgp