Package: iptables Version: 1.2.8-4 I was recently looking to install a personal firewall on a computer. I was not impressed with most of the packages I found for creating firewall rulesets. In the end, I found that the easiest thing was to write my own script, making it as simple and clear as possible.
I was pleased with the init scripts in the iptables package that then allowed me to just "save" the rules I set up in my script as the default "active" settings. I thought it may be nice to include a simple firewall script in the examples doc directory to show people how to set up a simple personal firewall. I've included below in this email the one that I wrote for my firewall. Thanks, Gary. ----------- #!/bin/bash set -x # Load needed kernel modules modprobe ip_conntrack modprobe ip_conntrack_ftp # Clear any existing firewall stuff before we start iptables --flush iptables -t nat --flush iptables -t mangle --flush # As the default policies, drop all incoming traffic but allow all # outgoing traffic. This will allow us to make outgoing connections # from any port, but will only allow incoming connections on the ports # specified below. iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT # Allow all incoming traffic if it is coming from the local loopback device iptables -A INPUT -i lo -j ACCEPT # Related and established connections: see # http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html # # Accept all incoming traffic associated with an established # connection, or a "related" connection # # This will automatically handle incoming UDP traffic associated with # DNS queries, as well as PASSIVE mode FTP (provided the # ip_conntrack_ftp module is loaded) iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow connections on selected ports to the firewalled computer: # 22 ssh # 80 web # 25 smtp (mail) iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT # Allow icmp input so that people can ping us iptables -A INPUT -p icmp -j ACCEPT # Logging: first, eliminate any packets that are going to broadcast # addresses, since they will overwhelm the log files if there are any # windows computers on our network. Also, don't log pesky multicast # packets that we block. iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP iptables -A INPUT -d 224.0.0.1 -j DROP # Log all other blocked packets, and change DROP to REJECT to be # polite and allow people connecting to a blocked port to receive a # "connection refused" message instead of timing out after 30 seconds. iptables -A INPUT -j LOG iptables -A INPUT -j REJECT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
