[lug] the world's easiest iptables firewall
Kevin Fenzi
kevin at scrye.com
Thu Dec 9 19:58:45 MST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Coming to you live from the BLUG meeting tonight, It was suggested
that I post the world's easiest iptables fireall that I just demoed.
At it's most simple, it's two lines:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
This will allow your connections out from your machine and packets
that are related to those outgoing connections and will drop
everything else thats coming in.
Optionally, you can add in between these 2 rules:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Which will allow port 22/tcp into your machine, which is Secure
Shell.
And/or:
iptables -A INPUT -j LOG
Which will LOG all packets that don't match the rules above it.
So, putting them all together you get:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
So your outgoing connections will all work, Secure shell will be
allowed in, everything else will be logged and dropped.
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFBuRDo3imCezTjY0ERAvdoAJ9ePsSUR0ro5isiOMjZ8tvCpug2zQCcCkoq
m+Sk2hL/DxWBkHPEVcDGJiM=
=dN+9
-----END PGP SIGNATURE-----
More information about the LUG
mailing list