I checked out the example iptables firewall, and I would like to
suggest an alternative. This firewall setup is very
comprehensive yet simple. It is written as an init.d file,
accepting "start" "stop" and "restart" targets so you can
automatically bring up your firewall on boot.
This is a "workstation firewall" not intended for providing
services (like web service via apache). If you want to run
services on your box, you have specifically open them up (as the
ssh service is below).
---------- /etc/init.d/local-firewall
#!/bin/bash
case "$1" in
start)
modprobe -q ip_tables
modprobe -q ip_conntrack_ftp
echo "Configuring firewall."
# Policy on the input chain is to drop
iptables -P INPUT DROP
# Accept local traffic on the loopback network
iptables -I INPUT -j ACCEPT -d 127.0.0.1 -i lo
# Existing connections allowed
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept icmp stuff so we can ping and be pinged
iptables -A INPUT -p icmp -j ACCEPT
# Accept port 22 ssh connections from the Truman address space
iptables -A INPUT -j ACCEPT -s 150.243.0.0/16 -p tcp --syn --dport 22
# Accept port 113 auth (ident) connections
iptables -A INPUT -j ACCEPT -p tcp --syn --dport 113
# If we want to use X11 via xdmcp we open these
#iptables -A INPUT -j ACCEPT -s 150.243.0.0/16 -p tcp --syn --dport 6000:6007
#iptables -A INPUT -j ACCEPT -s 150.243.0.0/16 -p udp --dport 6000:6007
# LAST RULE
iptables -A INPUT -j REJECT
$0 status
;;
stop)
echo "Stopping firewall."
iptables -P INPUT ACCEPT
iptables -F INPUT
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
# Show what we've got
iptables -n -L INPUT
;;
*)
printf "Usage: $0 {start|stop|restart|status}\n" >&2
exit 1
;;
esac
----------
--
Don Bindner <[EMAIL PROTECTED]>
