Hey Jorge,
Jacob Friis Larsen schreef:
By the help of http://iptables-script.dk/ I have created the script below.
Where should I store it?
You can put it in /etc/network/if-up.d That way it starts as soon as the interface comes up.
And does it look ok?
Looks OK for basic firewalling. You could add a rule to log the rejected packets.
Thanks, Jacob
#!/bin/sh
# Disable forwarding echo 0 > /proc/sys/net/ipv4/ip_forward
# load some modules (if needed) modprobe ip_nat_ftp modprobe ip_conntrack_ftp
# Flush iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
#localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Open ports on router for server/services iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20 iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21 iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p tcp --dport 25 iptables -A INPUT -j ACCEPT -p tcp --dport 80 iptables -A INPUT -j ACCEPT -p tcp --dport 143 iptables -A INPUT -j ACCEPT -p tcp --dport 993
# STATE RELATED for router iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
Check out the debian-firewall list also. It might be helpfull too.
Bye, Marco.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
