[TCLUG] seeking suggestions for iptables front-end

[Chad Walstrom]

On Thu, Aug 28, 2003 at 04:55:42PM -0500, Scot Jenkins wrote:
> Personally, I've tried alot of the GUI frontends to iptables and
> usually ended up just coding the ruleset by hand.  YMMV.

I find this to be quite true as well.  Most firewalls are quite simple,
especially with iptables state-based filtering.  Here's an exceedingly
simple example:

#!/bin/sh
# Set up default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all local loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# First, "whitelist" -- accept established,related connections.  Fastest
# processing of incoming packets.  Because we accept immediately,
# tracking bandwidth usage by port doesn't work, but who cares? 
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Next, incoming "blacklists".  e.g. modem block from attbi
iptables -N blacklist
iptables -A blacklist -s bad.ip.address -j DROP

# Drop back TCP packets
iptables -A blacklist -p tcp ! -syn -m state --state NEW -j LOG \
    --log-level INFO --log-prefix "IPT New not syn:"
iptables -A blacklist -p tcp ! -syn -m state --state NEW -j DROP

# Add blacklist to INPUT
iptables -A INPUT -i eth0 -j blacklist

# Hosting these services: ssh, http, https, auth, ftp
iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT       # Remote access
iptables -A INPUT -i eth0 -p tcp --dport auth -j ACCEPT      # For identd calls
iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT      # Web
iptables -A INPUT -i eth0 -p tcp --dport https -j ACCEPT     # Secure web
iptables -A INPUT -i eth0 -p tcp --dport imap -j ACCEPT      # Email

# You don't want to regulate outgoing traffic, do you?
iptables -A OUTPUT -o eth0 -j ACCEPT

# If you want to log packets before you drop them via default policy,
# uncomment these:
#iptables -A INPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:"
#iptables -A OUTPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:"

# Done.

-- 
Chad Walstrom <chewie at wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20030828/c004e12f/attachment.pgp