Richard Maxwell Underwood wrote: > I'm not a Linux newbie, but I haven't learned iptables or > netfilter, and it would be _so nice_ if I didn't have to study > detailed documentation to make the following change to my > machine. > > I know that many people don't want this mailing list flooded by > "newbie" questions about Linux, but please let me have one > reprive from this general rule or ethic against "newbie" > questions. > > The only network connections on my machine are lo and ppp0. > > I want to prohbit all systems except for localhost from > initiating a connection to my machine. > > I know that this breaks active ftp, but I think that's ok > because pacman uses passive-mode ftp. > > Could someone post an /etc/iptables/iptables.rules? > > _______________________________________________ > arch mailing list > [email protected] > http://www.archlinux.org/mailman/listinfo/arch > >
Rich, If you don't understand anything below.. RTFM.. ;) This script has been 3 yrs in the making.. For all those reading this.. Yes I know I can do things differently.. Thanks for the suggestion. ############### My. FIREWALL.SH FILE #!/bin/sh # # Firewall-HOST Script # # v1.0.2 # 2005-03-30 # # 2005-08-09 -> v1.0.5 # Added ulog # # # # External: ISP # Internal: 10.1.1.X/24 VER=1.0.2 EXT=eth0 IPTABLES="/usr/sbin/iptables" ECHO="/bin/echo" # Mark in the /var/log/firewall.log that we are starting the firewall /usr/bin/logger -p kern.notice -t NETFILTER "###### Started Firewall v$VER ######" /usr/bin/logger -p kern.notice -t NETFILTER "###### Started Firewall Script: `date` ######" # IP Forwarding $ECHO "1" > /proc/sys/net/ipv4/ip_forward # Dynamice Routing $ECHO "1" > /proc/sys/net/ipv4/ip_dynaddr # Disable response to ping. #$ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts to prevent yourself from becoming a Smurf amplifier. $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bogus error message protection. $ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets. $ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians # Turn IP forwarding on. $ECHO "1" > /proc/sys/net/ipv4/ip_forward # Initialize all the chains by removing all the rules $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -t nat -X $IPTABLES -t mangle -X $IPTABLES -X $IPTABLES -Z $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP #$IPTABLES -P OUTPUT ACCEPT # Create HOLE Table $IPTABLES -N DESTROY > /dev/null $IPTABLES -F DESTROY $IPTABLES -A DESTROY -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A DESTROY -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A DESTROY -j DROP # Create Dump Table $IPTABLES -N DUMP > /dev/null $IPTABLES -F DUMP $IPTABLES -A DUMP -j LOG --log-prefix "--==#ALERT#==-- " --log-level 6 $IPTABLES -A DUMP -j ULOG --ulog-nlgroup 1 --ulog-cprange 0 $IPTABLES -A DUMP -j DESTROY # Create DOUT Table $IPTABLES -N DOUT > /dev/null $IPTABLES -F DOUT $IPTABLES -A DOUT -j LOG --log-prefix "--==#DOUT#==-- " --log-level 6 $IPTABLES -A DOUT -j ULOG --ulog-nlgroup 1 --ulog-cprange 0 $IPTABLES -A DOUT -j DESTROY # Create DFOR Table $IPTABLES -N DFOR > /dev/null $IPTABLES -F DFOR $IPTABLES -A DFOR -j LOG --log-prefix "--==#DFOR#==-- " --log-level 6 $IPTABLES -A DFOR -j ULOG --ulog-nlgroup 1 --ulog-cprange 0 $IPTABLES -A DFOR -j DESTROY # loopback rules $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # EST links $IPTABLES -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH $IPTABLES -A INPUT -i $EXT -s 10.1.1.0/24 -p tcp --dport 22 --sport 1024: -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --sport 22 -j ACCEPT # Allow 80 (Shoutcast) $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 80 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 443 -j ACCEPT # Allow 53 (DNS) $IPTABLES -A OUTPUT -o $EXT -p udp --dport 53 --sport 1024: -j ACCEPT # Allow PING $IPTABLES -A INPUT -i $EXT -p icmp -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p icmp -j ACCEPT # Allow FTP $IPTABLES -A OUTPUT -o $EXT -d ftp-linux.cc.gatech.edu -p tcp -j ACCEPT # Allow NEWS $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 119 -j ACCEPT # Allow Samba to Squawk and Speak to other hosts $IPTABLES -A OUTPUT -o $EXT -p udp -d 10.1.1.0/24 --dport 137 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p udp -d 10.1.1.0/24 --dport 138 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp -d 10.1.1.0/24 --sport 139 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p udp -d 10.1.1.0/24 --sport 137 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p udp -d 10.1.1.0/24 --sport 138 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p tcp -d 10.1.1.0/24 --dport 139 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp -d 10.1.1.0/24 --sport 445 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p tcp -d 10.1.1.0/24 --dport 445 -j ACCEPT # ALLOW GAIM TO Talk $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 5190 -j ACCEPT #AOL $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 5050 -j ACCEPT #YAHOO $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 5222 -j ACCEPT #Jabber # ALLOW Thunderbird talk priveldges $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 995 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 25 -j ACCEPT # ALLOW Time talk priveldges $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 37 -j ACCEPT # Allow IRC for Users $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 6667 -j ACCEPT # ALLOW NMAP #$IPTABLES -A OUTPUT -o $EXT -p tcp -j ACCEPT #$IPTABLES -A OUTPUT -o $EXT -p udp -j ACCEPT # Allow Streaming Music from hosts $IPTABLES -A INPUT -i $EXT -p tcp --dport 8000:8100 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --sport 8000:8100 -j ACCEPT # Allow Streaming Music from internet to dream $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 8000:8100 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 7000 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p tcp --sport 8000:8100 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 10622 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p tcp --sport 10622 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 9874 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p tcp --sport 9874 -j ACCEPT # Netflow Capture $IPTABLES -A INPUT -i $EXT -p udp -s 10.1.1.1 --dport 900 -j ACCEPT # Netflow Capture $IPTABLES -A INPUT -i $EXT -p udp -s 10.1.1.11 --dport 514 -j ACCEPT # Allow SNMP TO APC $IPTABLES -A OUTPUT -o $EXT -p udp -d 10.1.1.11 --dport 161 -j ACCEPT $IPTABLES -A INPUT -i $EXT -p udp -s 10.1.1.11 --sport 161 -j ACCEPT # Allow traceroute $IPTABLES -A OUTPUT -o $EXT -p udp -j ACCEPT ######### Drop garbage to lesson logs # DAMN HP 1200 Keeps saying "Hello" $IPTABLES -A INPUT -i $EXT -p udp -s 10.1.1.200 --dport 137 -j DROP $IPTABLES -A INPUT -i $EXT -d 255.255.255.255 -j DROP ############################### # Everything Else Dump It $IPTABLES -A INPUT -j DUMP $IPTABLES -A OUTPUT -j DOUT $IPTABLES -A FORWARD -j DFOR # List the current rules #$IPTABLES -L -v --line-numbers ############### EO My. FIREWALL.SH FILE _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
