On Thu, 2003-08-28 at 22:07, Chad Walstrom wrote:
> On Thu, Aug 28, 2003 at 04:55:42PM -0500, Scot Jenkins wrote:
> > Personally, I've tried alot of the GUI frontends to iptables and
> > usually ended up just coding the ruleset by hand.  YMMV.
> 
> I find this to be quite true as well.  Most firewalls are quite simple,
> especially with iptables state-based filtering.  Here's an exceedingly
> simple example:
> 
> #!/bin/sh
> # Set up default policy
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # Allow all local loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # First, "whitelist" -- accept established,related connections.  Fastest
> # processing of incoming packets.  Because we accept immediately,
> # tracking bandwidth usage by port doesn't work, but who cares? 
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Next, incoming "blacklists".  e.g. modem block from attbi
> iptables -N blacklist
> iptables -A blacklist -s bad.ip.address -j DROP
> 
> # Drop back TCP packets
> iptables -A blacklist -p tcp ! -syn -m state --state NEW -j LOG \
>     --log-level INFO --log-prefix "IPT New not syn:"
> iptables -A blacklist -p tcp ! -syn -m state --state NEW -j DROP
> 
> # Add blacklist to INPUT
> iptables -A INPUT -i eth0 -j blacklist
> 
> # Hosting these services: ssh, http, https, auth, ftp
> iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT       # Remote access
> iptables -A INPUT -i eth0 -p tcp --dport auth -j ACCEPT      # For identd calls
> iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT      # Web
> iptables -A INPUT -i eth0 -p tcp --dport https -j ACCEPT     # Secure web
> iptables -A INPUT -i eth0 -p tcp --dport imap -j ACCEPT      # Email
> 
> # You don't want to regulate outgoing traffic, do you?
> iptables -A OUTPUT -o eth0 -j ACCEPT
> 
> # If you want to log packets before you drop them via default policy,
> # uncomment these:
> #iptables -A INPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:"
> #iptables -A OUTPUT -i eth0 -j LOG --log-level INFO --log-prefix "IPT drop eth0:"
> 
> # Done.
-- 
Tom Penney <blots at visi.com>


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list