[lug] IP Tables
Kevin Fenzi
kevin at scrye.com
Fri Sep 21 20:50:42 MDT 2007
On Fri, 21 Sep 2007 17:33:12 -0700 (PDT)
horlenkarl at yahoo.com (karl horlen) wrote:
> would anybody mind sharing a rock solid iptables
> script that does the following things. i ask because
> what i'm asking for is pretty common and shouldn't
> take somebody much effort other than to post (and
> change ips if you want to hide them which actually
> could be a pita now that i think about it). i'll fill
> in the blanks:
>
> Requirements:
>
> RedHat based system
>
> - denies all ports by default
> - allows smtp port 25 to send to all outside
> - allows http 80 from all outside
> -allows ssh but only from a given ip address (i'll
> change /fill in)
> - logs other attempts that try to go to ssh but not on
> the allowed ip address
> - allows all inside generated requests to go out and
> accept replies from all inside generated requests
> (probably covers sendmail above?)
> - drops everything else
>
> i'm not sure if that's asking too much or not. i
> generally know what i want to do and have pulled a
> variety of ways to do it but none seems complete or
> seems to lack something or appears outdated.
>
> thanks to anyone that shares.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 111.222.333.444 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j LOG
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Fill in 111.222.333.444 with your ssh allowed ip.
Not tested, YMMV.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070921/79f06bca/attachment.pgp>
More information about the LUG
mailing list