On Thu, 2003-08-28 at 22:07, Chad Walstrom wrote: > On Thu, Aug 28, 2003 at 04:55:42PM -0500, Scot Jenkins wrote: > > Personally, I've tried alot of the GUI frontends to iptables and > > usually ended up just coding the ruleset by hand. YMMV. > > I find this to be quite true as well. Most firewalls are quite simple, > especially with iptables state-based filtering. Here's an exceedingly > simple example: > > #!/bin/sh > # Set up default policy > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > # Allow all local loopback > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > # First, "whitelist" -- accept established,related connections. Fastest > # processing of incoming packets. Because we accept immediately, > # tracking bandwidth usage by port doesn't work, but who cares? > iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Next, incoming "blacklists". e.g. modem block from attbi > iptables -N blacklist > iptables -A blacklist -s bad.ip.address -j DROP > > # Drop back TCP packets > iptables -A blacklist -p tcp ! -syn -m state --state NEW -j LOG \ > --log-level INFO --log-prefix "IPT New not syn:" > iptables -A blacklist -p tcp ! -syn -m state --state NEW -j DROP > > # Add blacklist to INPUT > iptables -A INPUT -i eth0 -j blacklist > > # Hosting these services: ssh, http, https, auth, ftp > iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT # Remote access > iptables -A INPUT -i eth0 -p tcp --dport auth -j ACCEPT # For identd calls > iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT # Web > iptables -A INPUT -i eth0 -p tcp --dport https -j ACCEPT # Secure web > iptables -A INPUT -i eth0 -p tcp --dport imap -j ACCEPT # Email > > # You don't want to regulate outgoing traffic, do you? > iptables -A OUTPUT -o eth0 -j ACCEPT > > # If you want to log packets before you drop them via default policy, > # uncomment these: > #iptables -A INPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:" > #iptables -A OUTPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:" > > # Done. -- Tom Penney <blots at visi.com> _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list