Review my iptables script?

Live forum: /viewtopic.php?t=173


10-09-2005 23:48:52

I would appreciate any comments concerning my iptables script.

My way of thinking is to drop everything, then accept the things that I need. Anybody have another way of thinking?

I do have some questions that are marked in the comments.


# Initialize all the chains by removing all the rules
# tied to them
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

echo 1 >/proc/sys/net/ipv4/ip_dynaddr
echo 1 >/proc/sys/net/ipv4/ip_forward

# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
iptables -P INPUT DROP

# Accept anything from loopback
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

# Accept anything coming from the internal network and loopback
iptables -I INPUT 1 -i eth1 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT

# Accept all from localhost
iptables -A INPUT -s -j ACCEPT

# Accept all previously established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept Bittorrent
iptables -A INPUT -i eth0 -p tcp --dport 68816889 -j ACCEPT

# Accept TeamSpeak
iptables -A INPUT -i eth0 -p udp -m udp --dport 8767 -j ACCEPT

# Allow internal network internet access
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# ?
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t nat --policy PREROUTING ACCEPT

# (Webserver) Which of the following two rules are better?
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2000 -j ACCEPT
#iptables -A INPUT -i eth0 --protocol tcp --dport 2000 -j ACCEPT

# Log anything coming in on system ports, does Cox block all these already?
iptables -I INPUT -i eth0 -p tcp --dport 11024 -j LOG
iptables -I INPUT -i eth0 -p udp --dport 11024 -j LOG

# Log anything coming inside
#iptables -I INPUT -i eth0 -j LOG


12-09-2005 07:33:44

concerning that webserver bit I like to put a -p tcp --syn in there, which just means that the packet must have the SYN bit set and the RST and ACK bits cleared. in other words, a properly formed new connection attempt. but then for all I know, your --state NEW may do exactly the same thing, although the iptables man page isn't clear about that.


12-09-2005 08:59:00


I'll look into that