On Mon, Aug 24, 2009 at 9:58 PM, Wade Preston Shearer < [email protected]> wrote:
> I have modified an iptables configuration script to what you see below. I > am interested in feedback on anything I am overlooking or potential mistakes > before I implement it. > > ### SCRIPT ### > #!/bin/sh > # Drop all incoming traffic > /sbin/iptables -P INPUT DROP > # Drop all forwarded traffic > /sbin/iptables -P FORWARD DROP > # Allow all outgoing traffic > /sbin/iptables -P OUTPUT ACCEPT > # Allow returning packets > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > # Allow incoming traffic on port 80 for web server > /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > # Allow incoming traffic on port 25 for mail server > /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > # Allow incoming SSH on port XX > #/sbin/iptables -A INPUT -p tcp -m tcp --dport XX -j ACCEPT > # Allow ping > /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > /sbin/iptables-save > /etc/sysconfig/iptables > chmod go-r /etc/sysconfig/iptables > /sbin/sudo service iptables restart > ### /SCRIPT ### > > > One example rule that I have seen is allowing all local traffic. Does that > mean the local network the server is within or traffic inside the box? > > Note that I have X'd out the SSH port to disguise the custom port I access > my server on. > > > Thanks. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > You might want to consider something like the following: /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 5 -j ACCEPT I can understand allowing certain packets, but does it really mean you have to allow *all* of them? ;) /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
