to deny all incoming traffic..you need to drop the "input" in your policy. btw, i've attached sample script na pwede mong maging halimbawa sa pag gawa ng rulesets mo.
meric ----- Original Message ----- From: "Ina Patricia Lopez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 15, 2002 1:31 PM Subject: Re: [plug] ipchains (masq) > thanks Meric. > > I'll try using iptables. > what if i want to deny & log all incoming traffic to my eth0 and only > allow specific port connections like smtp,http,ssh and imap? how do i > specify port? > > thanks, > ina > --- "Mara,Meric B" <[EMAIL PROTECTED]> wrote: > > eto yung madaling paraan to do it. > > (note: you can change the ethernet value kung saan mo gusto imasq > > yung > > network mo.) > > > > IPTABLES="/sbin/iptables" > > > > $IPTABLES -F INPUT > > $IPTABLES -F OUTPUT > > $IPTABLES -F FORWARD > > > > $IPTABLES -P INPUT DROP > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -P FORWARD ACCEPT > > > > #Enable IP FORWARDING > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > $IPTABLES -A INPUT -i lo -j ACCEPT > > $IPTABLES -A INPUT -i eth0 -j ACCEPT > > $IPTABLES -A INPUT -i eth1 -j ACCEPT > > > > $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > ========= > > but if you you still want to use ipchains > > > > #iptables -F > > #rmmod iptables > > #service ipchains start > > #chkconfig --level 35 ipchains on > > > > sana makatulong ito. > > > > meric > > > > ----- Original Message ----- > > From: "Ina Patricia Lopez" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, October 15, 2002 10:37 AM > > Subject: Re: [plug] ipchains (masq) > > > > > > > /sbin/iptables -L is working. I dont know how to use masq with > > > iptables. Im just following these 3 lines for ipchains. > > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > ipchains -P forward DENY > > > ipchains -A forward -i ppp0 -j MASQ > > > > > > how to i unload iptables and load ipchains? > > > > > > thanks, > > > ina patricia > > > > > > --- "Mara,Meric B" <[EMAIL PROTECTED]> wrote: > > > > check if the IPTABLE is loaded in your kernel. > > > > you must unload it first. > > > > then insert IPCHAIN if that is what your prefer. > > > > > > > > but why not use IPTABLE? > > > > > > > > ----- Original Message ----- > > > > From: "Ina Patricia Lopez" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Tuesday, October 15, 2002 10:12 AM > > > > Subject: [plug] ipchains (masq) > > > > > > > > > > > > > Hi! > > > > > I want to use ipchains for masquerading but im getting this > > from > > > > my > > > > > linux box. How do i enable it? What do i need? > > > > > > > > > > thanks. > > > > > inapatricia > > > > > > > > > > > > > > > [root@IntraServ ]# /etc/rc.d/init.d/ipchains stop > > > > > Flushing all chains: ipchains: Incompatible with this kernel > > > > > [FAILED] > > > > > Removing user defined chains: ipchains: Incompatible with this > > > > kernel > > > > > [FAILED] > > > > > Resetting built-in chains to the default ACCEPT > > policy:ipchains: > > > > > Protocol not available > > > > > [FAILED] > > > > > [root@IntraServ ]# /etc/rc.d/init.d/ipchains start > > > > > [root@IntraServ ]# /sbin/ipchains -L > > > > > ipchains: Incompatible with this kernel > > > > > [root@IntraServ ]# > > > > > > > > > > > > > > > __________________________________________________ > > > > > Do you Yahoo!? > > > > > Faith Hill - Exclusive Performances, Videos & More > > > > > http://faith.yahoo.com > > > > > _ > > > > > Philippine Linux Users Group. Web site and archives at > > > > http://plug.linux.org.ph > > > > > To leave: send "unsubscribe" in the body to > > > > [EMAIL PROTECTED] > > > > > > > > > > Fully Searchable Archives With Friendly Web Interface at > > > > http://marc.free.net.ph > > > > > > > > > > To subscribe to the Linux Newbies' List: send "subscribe" in > > the > > > > body to > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > _ > > > > Philippine Linux Users Group. Web site and archives at > > > > http://plug.linux.org.ph > > > > To leave: send "unsubscribe" in the body to > > > > [EMAIL PROTECTED] > > > > > > > > Fully Searchable Archives With Friendly Web Interface at > > > > http://marc.free.net.ph > > > > > > > > To subscribe to the Linux Newbies' List: send "subscribe" in the > > body > > > > to [EMAIL PROTECTED] > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Faith Hill - Exclusive Performances, Videos & More > > > http://faith.yahoo.com > > > _ > > > Philippine Linux Users Group. Web site and archives at > > http://plug.linux.org.ph > > > To leave: send "unsubscribe" in the body to > > [EMAIL PROTECTED] > > > > > > Fully Searchable Archives With Friendly Web Interface at > > http://marc.free.net.ph > > > > > > To subscribe to the Linux Newbies' List: send "subscribe" in the > > body to > > [EMAIL PROTECTED] > > > > > > > _ > > Philippine Linux Users Group. Web site and archives at > > http://plug.linux.org.ph > > To leave: send "unsubscribe" in the body to > > [EMAIL PROTECTED] > > > > Fully Searchable Archives With Friendly Web Interface at > > http://marc.free.net.ph > > > > To subscribe to the Linux Newbies' List: send "subscribe" in the body > > to [EMAIL PROTECTED] > > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com > _ > Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph > To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] > > Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph > > To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED] >
#!/bin/sh # # In order to use this IPTables firewall script you # must have IPTables installed. You also must be using # a 2.4.x series Kernel, with IPTables support complied # into it, which is standard for most newer Linux distributions. # # # Once the script has been edited with all your relevant # information (IP's, Network Interfaces, etc..) simply # make the script executable and run it as root. # # chmod 700 iptables-firewall # ./iptables-firewall # # If you would like to see what rules are currently set, as # root run iptables -L # # If you've messed up and need to bring down the firewall # for whatever reason, run iptables -F # # If you would like to have the firewall automatically # come up at boot time, add the path to the script to # the bottom of your /etc/rc.d/rc.local file. For instance # /root/bin/iptables-firewall # # If you're not sure about something, check out the iptables # man page by typing 'man iptables' (without the ''s) at the # command prompt. # # This script is an enhanced/modified version of the # iptables-script written by Davion # # If you have any questions, please come see us in #Linuxhelp.net # on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml) # The location of the IPtables binary file on your system. IPT="/sbin/iptables" # The Network Interface you will be protecting. For ADSL/dialup users, # ppp0 should be fine. If you are using a cable internet connection or # are connected to a LAN, you will have to change this to "eth0". INT="ppp0" # The following rules will clear out any existing firewall rules, # and any chains that might have been created. $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t mangle $IPT -F -t nat $IPT -X # These will setup our policies. $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # The following line below enables IP forwarding and thus # by extension, NAT. Turn this on if you're going to be # doing NAT or IP Masquerading. #echo 1 > /proc/sys/net/ipv4/ip_forward # Source NAT everything heading out the $INT (external) # interface to be the given IP. If you have a dynamic IP # address or a DHCP IP that changes semi-regularly, comment out # the first line and uncomment the second line. # # Remember to change the ip address below to your static ip. # $IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 216.138.195.197 #$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE # This rule protects your fowarding rule. $IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP # If you would like to forward specific ports to other machines # on your home network, edit and uncomment the rules below. They are # currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51. # Anything incoming over your $INT through your gateway will # be automatically redirected invisibly to port 25 & 53 on 10.1.1.51 #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.1.1.51:25 #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 10.1.1.51:53 #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53 # These two redirect a block of ports, in both udp and tcp. #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50 #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50 # Now, our firewall chain. We use the limit commands to # cap the rate at which it alerts to 15 log messages per minute. $IPT -N firewall $IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall: $IPT -A firewall -j DROP # Now, our dropwall chain, for the final catchall filter. $IPT -N dropwall $IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall: $IPT -A dropwall -j DROP # Our "hey, them's some bad tcp flags!" chain. $IPT -N badflags $IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags: $IPT -A badflags -j DROP # And our silent logging chain. $IPT -N silent $IPT -A silent -j DROP # This rule will accept connections from local machines. If you have # a home network, enter in the IP's of the machines on the # network below. $IPT -A INPUT -i lo -j ACCEPT #$IPT -A INPUT -s 10.1.1.50 -d 0/0 -p all -j ACCEPT #$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT #$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT # Drop those nasty packets! These are all TCP flag # combinations that should never, ever occur in the # wild. All of these are illegal combinations that # are used to attack a box in various ways, so we # just drop them and log them here. $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags # Drop icmp, but only after letting certain types through. $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPT -A INPUT -p icmp -j firewall # If you would like to open up port 22 (SSH Access) to various IP's # simply edit the IP's below and uncomment the line. If youw wish to # enable SSH access from anywhere, uncomment the second line only. #$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT # If you are running a Web Server, uncomment the next line to open # up port 80 on your machine. #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT # Lets do some basic state-matching. This allows us # to accept related and established connections, so # client-side things like ftp work properly, for example. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Uncomment to drop port 137 netbios packets silently. # We don't like that netbios stuff, and it's way too # spammy with windows machines on the network. $IPT -A INPUT -p udp --sport 137 --dport 137 -j silent # Our final trap. Everything on INPUT goes to the dropwall # so we don't get silent drops. $IPT -A INPUT -j dropwall
