gorshing
10-09-2005 23:48:52
I would appreciate any comments concerning my iptables script.
My way of thinking is to drop everything, then accept the things that I need. Anybody have another way of thinking?
I do have some questions that are marked in the comments.
Thanks
My way of thinking is to drop everything, then accept the things that I need. Anybody have another way of thinking?
I do have some questions that are marked in the comments.
Thanks
# Initialize all the chains by removing all the rules
# tied to them
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
echo 1 >/proc/sys/net/ipv4/ip_dynaddr
echo 1 >/proc/sys/net/ipv4/ip_forward
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Accept anything from loopback
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
# Accept anything coming from the internal network and loopback
iptables -I INPUT 1 -i eth1 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
# Accept all from localhost
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# Accept all previously established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept Bittorrent
iptables -A INPUT -i eth0 -p tcp --dport 68816889 -j ACCEPT
# Accept TeamSpeak
iptables -A INPUT -i eth0 -p udp -m udp --dport 8767 -j ACCEPT
# Allow internal network internet access
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# ?
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
# (Webserver) Which of the following two rules are better?
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2000 -j ACCEPT
#iptables -A INPUT -i eth0 --protocol tcp --dport 2000 -j ACCEPT
# Log anything coming in on system ports, does Cox block all these already?
iptables -I INPUT -i eth0 -p tcp --dport 11024 -j LOG
iptables -I INPUT -i eth0 -p udp --dport 11024 -j LOG
#---------------------------------------------------------------
# Log anything coming inside
#---------------------------------------------------------------
#iptables -I INPUT -i eth0 -j LOG