Re: [PLUG] my first fw rules

Naresh on Tue, 24 Dec 2002 15:10:34 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my first fw rules

From: Naresh <nganta@myrealbox.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] my first fw rules

Date: Tue, 24 Dec 2002 14:48:27 -0500 (EST)

Delivery-date: Tue, 24 Dec 2002 15:10:34 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

To clear the rules, you can use: $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F Hope that helps, Naresh On Tue, 24 Dec 2002 epike@isinet.com wrote: > Hi list.. > > I've finally able to write my own firewall rules, I'd appreciate > it if somebody comments or hints for general suggestions, thanks! > (this is my first try). > > I'm getting the hang of it and it seems to work; though if I'm > missing something let me know, much appreciated. > > (the server is behind a linksys router so its on > the 192.168.1 network, configured as the DMZ host). > > e pike > > --------- > > #! /bin/sh > ################################################################### > # SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY > # > # OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc) > # 2. Log everything else thats not allowed, then drop them > # > # JondZ Mon Dec 23 16:12:14 EST 2002 > #################################################################### > > VERSION="JondZ 12/2002" > WAN_DEVICE=eth0 > WAN_DEVICE_BROADCAST=192.168.1.255/24 > TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128 > UDP_OPENPORTS=53,137,138,139 > > IPTABLES=/sbin/iptables > > echo "$0 ($VERSION): Starting custom firewall..." > > ########################################################### > # INITIALIZE CHAINS > ########################################################### > echo "$0: initializing chains..." > $IPTABLES -F INPUT > $IPTABLES -F OUTPUT > $IPTABLES -F FORWARD > $IPTABLES -X > $IPTABLES -Z > > #############################################3 > # IMPLEMENT DEFAULT DRACONIAN POLICIES > #############################################3 > echo "$0: applying default policies..." > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD DROP > > ############################################# > # lo CONNECTIONS > ############################################# > echo "$0: Accepting lo connections..." > $IPTABLES -A INPUT -i lo -j ACCEPT > > ############################################# > # LOG FORWARDING ATTEMPTS > ############################################# > $IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED " > > > ############################################# > # DROP BROADCAST PACKETS > ############################################# > # echo "$0: accepting broadcast packets.." > # $IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT > > ############################################# > # INCOMING TCP CONNECTIONS for WAN_DEVICE > ############################################# > echo "$0: Allowing TCP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state INVALID -j DROP > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m state --state NEW -m multiport \ > --destination-port $TCP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ > -m limit --limit 3/s -j LOG --log-prefix "TCP_IN " > > ################################################# > # INCOMING UDP CONNECTIONS for WAN_DEVICE > ################################################# > echo "$0: Allowing UDP Services..." > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m state --state NEW -m multiport \ > --destination-port $UDP_OPENPORTS -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ > -m limit --limit 3/s -j LOG --log-prefix "UDP_IN " > > ############################################# > # INCOMING ICMP CONNECTIONS > ############################################# > echo "$0: allowing some ICMP Connections..." > > ################################################################# > # ICMP TYPES (incomplete) > # -------------------------- > # (ideas gathered from fw script of vogt@hansenet.com) > # > # 0 - echo reply > # 8 - echo > # 3 - Destination Unreachable > # 11 - Time Exceeded > # 30 - Traceroute > # > # Ping - udp types 0,8 > # destination unreachable - 3 > # traceroute - 11,30 > #################################################################### > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 0 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 8 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 3 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 11 -j ACCEPT > $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 30 -j ACCEPT > _________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce > General Discussion -- http://lists.netisland.net/mailman/listinfo/plug > _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

[PLUG] my first fw rules
From: epike@isinet.com

Prev by Date: Re: [PLUG] my first fw rules

Next by Date: Re: [PLUG] proc filesystem

Previous by thread: Re: [PLUG] my first fw rules

Next by thread: Re: [PLUG] my first fw rules

Index(es):

Date

Thread