[lug] the world's easiest iptables firewall

Kevin Fenzi kevin at scrye.com
Thu Dec 9 19:58:45 MST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Coming to you live from the BLUG meeting tonight, It was suggested
that I post the world's easiest iptables fireall that I just demoed. 

At it's most simple, it's two lines:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP

This will allow your connections out from your machine and packets
that are related to those outgoing connections and will drop
everything else thats coming in. 

Optionally, you can add in between these 2 rules: 

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Which will allow port 22/tcp into your machine, which is Secure
Shell. 

And/or: 

iptables -A INPUT -j LOG

Which will LOG all packets that don't match the rules above it. 
So, putting them all together you get: 

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

So your outgoing connections will all work, Secure shell will be
allowed in, everything else will be logged and dropped. 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFBuRDo3imCezTjY0ERAvdoAJ9ePsSUR0ro5isiOMjZ8tvCpug2zQCcCkoq
m+Sk2hL/DxWBkHPEVcDGJiM=
=dN+9
-----END PGP SIGNATURE-----



More information about the LUG mailing list