[ale] iptables...
Jonathan Rickman
jonathan at xcorps.net
Thu Aug 30 17:36:06 EDT 2001
On Thu, 30 Aug 2001, Timothy Ball wrote:
> I need to filter some ports on my laptop... I don't know iptables...
> (i'm not a networking guy). I've tried looking at the docs, but again
> I'm not a networking guy.
Here's the script I use on my laptop when using ppp. If you're using modules,
you'll need to load them prior to running. I just built them in the kernel...
=============================================
#!/bin/sh
# flush tables
/usr/sbin/iptables -F
# set default policies
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
# create DUMP table
/usr/sbin/iptables -N DUMP > /dev/null
/usr/sbin/iptables -F DUMP
/usr/sbin/iptables -A DUMP -p tcp -j LOG
/usr/sbin/iptables -A DUMP -p udp -j LOG
/usr/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/usr/sbin/iptables -A DUMP -j DROP
# Stateful table
/usr/sbin/iptables -N STATEFUL > /dev/null
/usr/sbin/iptables -F STATEFUL
/usr/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/usr/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/usr/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type destination-unreachable
-j ACCEPT
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j ACCEPT
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT
# allow some services (ssh on 22 & code red catcher on 80)
/usr/sbin/iptables -A INPUT -i ppp0 -p tcp -dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i ppp0 -p tcp -dport 80 -j ACCEPT
# push everything else to state table
/usr/sbin/iptables -A INPUT -j STATEFUL
===================================================================
Hope that helps...
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list