Set the default policies *before* flushing the tables.
OK.
# Open ports on router for server/services iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p tcp --dport 25 iptables -A INPUT -j ACCEPT -p tcp --dport 80 iptables -A INPUT -j ACCEPT -p tcp --dport 143 iptables -A INPUT -j ACCEPT -p tcp --dport 993
By these rules you allow everyone (internal and external networks) to use services running on your router. Are these services really running on the router?
Yes.
# STATE RELATED for router iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I would rather add a rule to accept ESTABLISHED,RELATED traffic in the OUTPUT chain and set the default OUTPUT policy to DROP.
Like this? iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You should also allow ICMP (at least some types) and REJECT TCP traffic (with RST) rather than just DROP it. IMHO.
Like this? iptables -A icmp-in -p icmp --icmp-type 0 -j RETURN iptables -A icmp-in -p icmp --icmp-type 3 -j RETURN iptables -A icmp-in -p icmp --icmp-type 4 -j RETURN iptables -A icmp-in -p icmp --icmp-type 8 -j RETURN iptables -A icmp-in -p icmp --icmp-type 11 -j RETURN iptables -A icmp-in -p icmp --icmp-type 12 -j RETURN
# Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
It is absolutely pointless to enable forwarding, if you drop every packet in the FORWARD chain.
OK.
This is my new script: # cat myiptables #!/bin/sh
# Disable forwarding echo 0 > /proc/sys/net/ipv4/ip_forward
# load some modules (if needed) #modprobe ip_nat_ftp #modprobe ip_conntrack modprobe ip_conntrack_ftp
# Default rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
# Flush iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F
# Localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Open ports on router for server/services iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p tcp --dport 25 iptables -A INPUT -j ACCEPT -p tcp --dport 80 iptables -A INPUT -j ACCEPT -p tcp --dport 143 #iptables -A INPUT -j ACCEPT -p tcp --dport 443 iptables -A INPUT -j ACCEPT -p tcp --dport 993
# STATE RELATED for router #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward
Thanks, Jacob
