[Cialug] IPTables Concept
Jeffrey C. Ollie
jeff at ocjtech.us
Tue Oct 31 20:05:08 CST 2006
In addition, I'd recommend some more changes:
# Setup variables
OURIF="eth0"
OURLO="lo"
OURIP="ip.ip.ip.ip"
OURDNS1="ip.ip.ip.ip"
OURDNS2="ip.ip.ip.ip"
OURSMTP="mx.inside.com"
OURBACK="backserv"
# Flush all chains
/sbin/iptables --flush
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i $OURLO -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURLO -j ACCEPT
# Drop all inbound packets that claim to be from us..
/sbin/iptables -A INPUT -i $OURIF -s $OURIP -j DROP
# Drop all outbound packets that claim not to be from us.
/sbin/iptables -A OUTPUT -o $OURIF -s ! $OURIP -j DROP
# Allow any established or related connections
/sbin/iptables -A INPUT -i $OURIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowing incoming SSH (from anywhere)
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Access to internal DNS server and allow responses
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d $OURDNS2 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 53 -d $OURDNS2 -j ACCEPT
# Access to internal SMTP server and allow responses
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d $OURSMTP -j ACCEPT
# Allow ssh out to perform backups to our backup server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 22 -d $OURBACK -j ACCEPT
# Access to external WWW servers and allow responses for deb packages
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d mirrors.kernel.org -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d security.debian.org -j ACCEPT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://cialug.org/pipermail/cialug/attachments/20061031/ae26a136/attachment.pgp
More information about the Cialug
mailing list