Here is something which should fit your needs (except maybe that I use a fixed IP address).
Hope this helps. BTW - once you setup the configuration you can save/restore it in the boot scripts with iptables-save and iptables-restore. --Amos > -----Original Message----- > From: Omer Zak > Sent: Friday, February 14, 2003 1:09 PM > Subject: Collection of sample high-quality iptables configurations? > > > Once upon a time I configured a 2.2.x Linux firewall with > ipchains, and > used a script with which I was happy, as it opened only > certain ports, had > anti-spoofing protection, etc. > More recently I configured a 2.4.x Linux firewall with > iptables. However > I am not happy with the iptables configuration used there. > > Does anyone know about a collection of recommended iptables > scripts for > the following environments: > 1. Single Linux PC at home (no need to export services like WWW to the > Internet). > 2. Home or small office network (NAT, any PC can access the Internet, > nothing is exported to the world). > > Note: for more complicated setups (such as office Web server to be > accessible from the Internet), I'd not rely upon cookbook > scripts but have > someone who really knows the stuff (possibly me) set it up for me. > But for the average home/small office user, a restrictive cookbook > approach is the best approach, for if he has to figure things out by > himself he may make mistakes; and if he hires a security > expert, this may > be expensive and he may be let down by an improperly > qualified "expert". > --- Omer
#!/bin/sh ## Insert connection-tracking modules (not needed if built into kernel). insmod ip_conntrack insmod ip_conntrack_ftp ## Create chain which blocks new connections, except if coming from inside. iptables --new-chain block # allow established connections, or related packets iptables --append block --match state --state ESTABLISHED,RELATED --jump ACCEPT # DROP all other packets (be stealth, right?) iptables --append block --jump DROP ## Jump to that chain from INPUT and FORWARD chains. iptables --append INPUT --jump block iptables --append FORWARD --jump block # Masquerade out ppp0 (we have a known IP address from Actcom, so use SNAT) iptables --table nat --append POSTROUTING --out-interface ppp0 --jump SNAT --to-source 192.117.105.145 # Disallow NEW and INVALID incoming or forwarded packets from ppp0. iptables --append INPUT --in-interface ppp0 --match state --state NEW,INVALID --jump DROP iptables --append FORWARD --in-interface ppp0 --match state --state NEW,INVALID --jump DROP # default policy of INPUT and FORWARD is to DROP everything which didn't match iptables --policy INPUT DROP iptables --policy FORWARD DROP
