[GLLUG] Iptables

Caleb Cushing xenoterracide at gmail.com
Fri Jun 23 23:11:18 EDT 2006


I want a more secure iptables firewall. but whenever I try to make it more
secure... I lose internet access somewhere (depending on what I'm securing)
this is my Current script It's undergoing major modifications so if anyone
has suggestions. if I put > in front of something that means that, that rule
has to go.

iptables -F


# Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Input Policy
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # I don't
want to allow this on all ports
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p udp --dport 80 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --dport 1863 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 5050 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 5190 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with
icmp-port-unreachable


# Forward Policy
iptables -A FORWARD -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
>iptables -A FORWARD -j ACCEPT #not secure at all but I can't get it to work
without this.

that's it can any one help?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.egr.msu.edu/mailman/public/linux-user/attachments/20060623/6ae09bbc/attachment.html


More information about the linux-user mailing list