[ale] iptables-restore error message
Jonathan Rickman
jonathan at xcorps.net
Thu Feb 6 09:32:55 EST 2003
On Thu, 6 Feb 2003, ChangingLINKS.com wrote:
I'm not saying that your firewall script is or is not the culprit, but may
I suggest something a bit more elegant and easy to maintain?
See below...
#!/bin/sh
# chain policies
# set default policies
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
# flush tables
/usr/sbin/iptables -F
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X
/usr/sbin/iptables -F -t nat
# create DUMP table
/usr/sbin/iptables -N DUMP > /dev/null
/usr/sbin/iptables -F DUMP
/usr/sbin/iptables -A DUMP -p tcp -j LOG
/usr/sbin/iptables -A DUMP -p udp -j LOG
/usr/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/usr/sbin/iptables -A DUMP -j DROP
# Stateful table
/usr/sbin/iptables -N STATEFUL > /dev/null
/usr/sbin/iptables -F STATEFUL
/usr/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
/usr/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/usr/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
/usr/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
/usr/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
/usr/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
# opened ports (adjust to suit)
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# push everything else to state table
/usr/sbin/iptables -A INPUT -j STATEFUL
I think you'll be better served with this type of setup. I know I am...
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list