The only thing I left was the logging rules.
script below #!/bin/sh # USER DEFINED SECTION # Exterior Network Variables # interface HOST=hostname IPADDRESS=------- INTERNET=eth1 # set debug logs # 1 enables logging of accepted packets DEBUG=0 # END USER DEFINED SECTION ############################################################################### # INITIALIZE IPTABLES # Flush Previous Rules iptables -F # Remove All Previously Defined Chains iptables -X # Enable Packet Forwarding # echo "1" > /proc/sys/net/ipv4/ip_forward # Set Default For Filter Table Rules # all rules set to drop will drop any packets not meeting # one of the defined rules iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # END SECTION ############################################################################### # INPUT RULES # EXTERNAL NETWORK # all inbound ssh, smtp, and restricted ping packets will be accepted # SSH # accept ssh connection to $HOST port 22 if [ "$DEBUG" = "1" ]; then iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp --sport 1024:65535 --dport 22 -j LOG --log-prefix "INTERNET ssh " fi iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp --sport 1024:65535 --dport 22 -j ACCEPT # SMTP # accept smtp connection to $HOST port 25 if [ "$DEBUG" = "1" ]; then iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp --sport 1024:65535 --dport 25 -j LOG --log-prefix "INTERNET smtp " fi iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp --sport 1024:65535 --dport 25 -j ACCEPT # accept connection from exterior host port 25 in reply to smtp from $HOST if [ "$DEBUG" = "1" ]; then iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp -m state --state ESTABLISHED --sport 25 --dport 1024:65535 -j LOG --log-prefix "INTERNET SMTP reply " fi iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp -m state --state ESTABLISHED --sport 25 --dport 1024:65535 -j ACCEPT # reject identd requests to avoid lengthy timeouts iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp --sport 1024:65535 --dport 113 -j REJECT --reject-with tcp-reset # allow identd responses to my identd requests if [ "$DEBUG" = "1" ]; then iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp -m state --state ESTABLISHED --sport 113 --dport 1024:65535 -j LOG --log-prefix "INTERNET identd " fi iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p tcp -m state --state ESTABLISHED --sport 113 --dport 1024:65535 -j ACCEPT # PING # after the default 5 ping-requests only accept 1 every 10 seconds # all additional requests are dropped # accept ping replies that match ping requests made by $HOST if [ "$DEBUG" = "1" ]; then iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -m limit --limit 6/minute -p icmp --icmp-type echo-request -j LOG --log-prefix "INTERNET ping request " iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -m state --state ESTABLISHED -p icmp --icmp-type echo-reply -j LOG --log-prefix "INTERNET ping reply " fi iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -m limit --limit 6/minute -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -i $INTERNET -s 0/0 -d $IPADDRESS -m state --state ESTABLISHED -p icmp --icmp-type echo-reply -j ACCEPT # LOG # all packets not meeting above accept rules will be logged # then dropped by the default rules iptables -A INPUT -i $INTERNET -j LOG --log-prefix "INPUT INTERNET: " # END SECTION ############################################################################### # OUTPUT RULES # EXTERIOR NETWORK # only packets for an established connection are accepted # SSH # accept $HOST ssh replies to established connections by external host port 22 if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p tcp --sport 22 -j LOG --log-prefix "MAIL ssh reply " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p tcp --sport 22 -j ACCEPT # SMTP # accept $HOST smtp replies to established connections to external host port 25 if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p tcp --sport 25 -j LOG --log-prefix "MAIL smtp reply " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p tcp --sport 25 -j ACCEPT # accept $HOST smtp connection to external host port 25 if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p tcp --dport 25 -j LOG --log-prefix "MAIL smtp " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p tcp --dport 25 -j ACCEPT # PING # accept $HOST ping requests to exterior host if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p icmp --icmp-type echo-request -j LOG --log-prefix "MAIL ping request " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p icmp --icmp-type echo-request -j ACCEPT # limit the amount of replys that can be generated from external ping requests if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p icmp --icmp-type echo-reply -j LOG --log-prefix "MAIL ping reply " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -m state --state ESTABLISHED -p icmp --icmp-type echo-reply -j ACCEPT # allow outgoing identd/AUTH requests if [ "$DEBUG" = "1" ]; then iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p tcp --dport 113 -j LOG --log-prefix "MAIL identd/AUTH " fi iptables -A OUTPUT -o $INTERNET -s $IPADDRESS -d 0/0 -p tcp --dport 113 -j ACCEPT # LOG # all packets not meeting above accept rules will be logged # then dropped by the default rules iptables -A OUTPUT -o $INTERNET -j LOG --log-prefix "OUTPUT INTERNET: " # END SECTION ############################################################################### # START NEW FIREWALL # SAVE CONFIGURATION iptables-save > /etc/sysconfig/iptables # RESTART IPTABLES WITH NEW CONFIGURATION service iptables restart __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
