My favourite iptables tutorial is http://www.netfilter.org/documentation/tutorials/blueflux/
It will answer all of your question, except the blacklisted hosts. How do you want to collect/maintain this list? Regards, Peter On Fri, 2002-11-01 at 02:52, Chad Skinner wrote: > During my update of RedHat I failed to backup my firewall script and so I am > trying to recreate it and was wondering if someone would give me input into > how to improve it. To outline what I have: > > 1. Set variables for interfaces/networks > 2. Create a Table to block traffic from reserved and private networks > 3. Create a Table for blacklisted hosts > 4. Create a Table for explictly blocked and logged ports > 5. Create a Table for icmp packets > 6. Create a Table for allowed packets > > 7. enable the loopback interface > 8. pass packets coming in internet interface to drop packets coming from > reserved networks. > 9. pass packets going out internet interface to drop packets going to > reserved networks. > 10. pass packets coming in internet interface to drop blacklisted hosts > 11. pass packets coming in internet interface to drop blocked ports > 12. pass packets coming in internet interface to filter icmp packets > 13. pass packets to allow incoming traffic > 14. drop all remaining packets > > Basically, All rules drop packets except, where I am opening the loopback > interface, allowing icmp packets or allowing specific traffic. I guess I > would like to know if the following snippit that allows specific ports is > correct or if there are suggestions on how to improve it? > > ########################################################################## > # CREATE A TABLE TO ALLOW PACKETS ON SPECIFIC PORTS # > ########################################################################## > > $IPTABLES -N ALLOWED_CONNECTIONS > > # ACCEPT ALL TRAFFIC FOR ESTABLISHED OR RELATED CONNECTIONS > $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \ > --state ESTABLISHED,RELATED -j ACCEPT > > # ACCEPT ALL TRAFFIC NOT COMING FROM THE INTERNET > $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i ! $INTERNET_IFACE -m state > \ > --state NEW -j ACCEPT > > ### ALLOWED PORTS FOR TRAFFIC ORIGINATING FROM THE INTERNET ### > # > # 22 ssh > # 80 http > # 443 https > # > ### > > PORT_LIST="22 80 443" > for PORT IN $PORT_LIST > do > $IPTABLES -t filter -A ALLOWED_PORTS -i $INTERNET_IFACE -j ACCEPT > done > > # DROP ALL OTHER NEW OR INVALID CONNECTIONS > $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \ > --state NEW,INVALID -j DROP > > The filter I am using to send traffic to this table is: > > $IPTABLES -t filter -A INPUT -j ALLOWED_CONNECTIONS > > Thanks, > Chad > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
