[ale] Iptables examples

[Jonathan Rickman]

On Sat, 31 May 2003 matty91 at bellsouth.net wrote:

> Does anyone have an example iptable script that blocks everything in, but
> allows connections (TCP/ICMP/UDP) out (and keeps state)? I am trying to
> devise something for my laptop, and would like a known working example.


#!/bin/sh

# flush tables
/usr/sbin/iptables -F

# set default policies
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP

# DUMP
/usr/sbin/iptables -N DUMP > /dev/null
/usr/sbin/iptables -F DUMP
/usr/sbin/iptables -A DUMP -p tcp -j LOG
/usr/sbin/iptables -A DUMP -p udp -j LOG
/usr/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/usr/sbin/iptables -A DUMP -j DROP

# STATE
/usr/sbin/iptables -N STATEFUL > /dev/null
/usr/sbin/iptables -F STATEFUL
/usr/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/usr/sbin/iptables -A STATEFUL -j DUMP

# LOOPBACK
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# RFC1918
/usr/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/usr/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP

# ICMP
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type destination-unreachable -j ACCEPT
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j ACCEPT
/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT

# push everything else to state
/usr/sbin/iptables -A INPUT -j STATEFUL


s/ppp0/[your interface of choice]/g

That should do it...

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale