On Tuesday 11 June 2002 11:39, you wrote: > man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo: > > I hope someone can take my paw and help me through the iptables > > setup, because I'm a bit scared of the possibility of locking > > myself out of my box... > > Den som intet v�ger, intet vinner :c)
Helt sant! Thanks to everybody! I've been trying to get it to work, and thanks to Mike Benson, who gave me a snippet of code that flushes the rules after a delay, I'm not that anxious anymore. Though my first test failed miserably, I was locked out and those two minutes _was_ scary... :-) I've done some cut'n'pasting from various sources, trying things I think I understand. But apparently, it doesn't do quite what I thought it would, so... I start my script with #! /bin/sh IPTABLES="/sbin/iptables" $IPTABLES -F $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP This should flush and then drop everything. For simplicity, I then have: $IPTABLES -P OUTPUT ACCEPT I guess drop output makes life harder for someone who may have gained access to a user account, but... Then, I grabbed most of my stuff from http://www.linuxhelp.net/guides/davion/iptables-script To start with: $IPTABLES -A INPUT -i lo -j ACCEPT They also list this as working for ssh: $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT Apparently it does. So, I just copied it for the rest of my ports...: $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 21 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 110 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --sport 25 -j ACCEPT It seems to work too.... Then, there's DNS. I've inserted $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s 217.77.32.0/24 I guess I could restrict the IP range more. The point is, however, that my workstation is outside of this range, so I thought it would mean that it would be closed for my workstation...? However, if I do owl:~# nmap -g 53 -p 53 -sU pooh Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on pooh.kjernsmo.net (217.77.32.186): Port State Service 53/udp open domain So, it looks like I didn't understand this stuff.... Finally, I have $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT It responds to ping... :-) I've tried quite a few other things than this too. So, the question is: Have I done something silly? How do I close off DNS for everything except the subnet my box is in? Thanks again for your help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
