-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Your best bet for rules for this would be rules like:
ipables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 10/min -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 5/min -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 10/min -j ACCEPT
iptables -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --tcp-flags
SYB,RST,RST,ACK SYN -j ACCEPT
On August 29, 2003 01:41 pm, Andrew Gaffney wrote:
> Andrew Dacey wrote:
> > ----- Original Message -----
> > From: "Andrew Gaffney" <[EMAIL PROTECTED]>
> > To: "Gentoo User" <[EMAIL PROTECTED]>
> > Sent: Friday, August 29, 2003 12:47 PM
> > Subject: [gentoo-user] iptables help
> >
> >>I'm trying to create a firewall using iptables. I want it to drop
> >>incoming packets except to ports 22, 25, and 80 unless the source
> >>address is 192.168.254.x. I'm asking before I do this because I'm
> >>accessing the computer remotely right now and I don't want to cut myself
> >>off from it. I'm thinking something like:
> >>
> >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> >>iptables -A INPUT -p all -j DROP
> >>
> >>-or-
> >>
> >>iptables -P INPUT DROP
> >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> >>
> >>Would either of these get me the desired results?
> >
> > I'd be tempted to add a line of
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > That way any traffic you initiate from that box will be able to get back
> > in.
> >
> > As someone else mentioned, I'd use the option of setting the INPUT policy
> > to DROP but make sure to set that AFTER you've setup the other rules.
>
> So, it should be:
>
> iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -P INPUT DROP
>
> Correct?
- --
Stephen Clowater
Real software engineers don't like the idea of some inexplicable and
greasy hardware several aisles away that may stop working at any
moment. They have a great distrust of hardware people, and wish that
systems could be virtual at *___���all* levels. They would like personal
computers (you know no one's going to trip over something and kill your
DFA in mid-transit), except that they need 8 megabytes to run their
Correctness Verification Aid packages.
The (revised) 3 case c++ function to determine the meaning of life :
#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/UZjGcyHa6bMWAzYRAvPUAJ47SXRMId0td1WPMUjfgnMAR9HLmgCcDEQj
YZvTwJb3/KgKDOiP6y18R+A=
=KlrX
-----END PGP SIGNATURE-----
--
[EMAIL PROTECTED] mailing list
