Re: iptables for 1 interface pc and other questions

Sun, 19 Jan 2003 22:05:10 -0600 

Benedict Verheyen wrote:
> Hello,
> 
> below is the new 1 nic firewall setup with a lot of recommendations
> and ideas from Jason McCarty.
> I changed the INPUT and OUTPUT rules mainly but didn't touch the 
> FORWARD rule. I think all the line's there are useless in a 1 nic
> setup.

Glad I could help :) It looks pretty good, just a couple things I want
to mention.

> # this ip is used by my isp for something (don't know what) and is send every 
> 2 minutes so i do 
> # not even want to log this! Annoying isp. It goes to address 224.0.0.1
> $IPT -A checkspoof -s 10.95.11.80 -j DROP

These are (IGMP I think) multicast queries asking if your computer wants
to listen to a multicast channel. I ignore them too. I think the
multicast network is 224.0.0.0/4 .

> inet_out ####
> ###############################################################################
> ### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, 
> msn/gaim?,
> ###                irc, www, imap, pop3, ftp (+ftpdata), ssh
> 
> ### all tcp ports ###
> #$IPT -A inet_out -o eth0 -p tcp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
> $IPT -A inet_out -o eth0 -p tcp --dport 80 -j ACCEPT             # www
> $IPT -A inet_out -o eth0 -p tcp --dport 22 -j ACCEPT             # ssh
> $IPT -A inet_out -o eth0 -p tcp --dport 21 -j ACCEPT             # ftp
> $IPT -A inet_out -o eth0 -p tcp --dport 110 -j ACCEPT            # pop3
> $IPT -A inet_out -o eth0 -p tcp --dport 143 -j ACCEPT            # imap
> $IPT -A inet_out -o eth0 -p tcp --dport 6667 -j ACCEPT           # irc
> $IPT -A inet_out -o eth0 -p tcp --dport 25 -j ACCEPT             # smtp
> $IPT -A inet_out -o eth0 -p tcp --dport 119 -j ACCEPT            # news
> $IPT -A inet_out -o eth0 -p tcp --dport 8080 -j ACCEPT           # proxy isp
> $IPT -A inet_out -o eth0 -p tcp --dport 53 -j ACCEPT             # dns
> 
> ### all udp ports ###
> $IPT -A inet_out -o eth0 -p udp --sport 67 --dport 68 -j ACCEPT  # DHCP to isp
> $IPT -A inet_out -o eth0 -p udp --dport 53 -j ACCEPT             # dns
> 
> ### all icmp ###
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 11 -j ACCEPT

You can take off the -o eth0 parts here, since inet_out only gets called
by INPUT for -o eth0 anyway.


Jason

Reply via email to