[lug] the world's easiest iptables firewall
Joshua Rubin
joshua at cybertron.cc
Mon Dec 13 16:06:49 MST 2004
On Monday 13 December 2004 03:35 pm, David Anselmi wrote:
> Jeffrey Siegal wrote:
> > Kevin Fenzi wrote:
> >> Optionally, you can add in between these 2 rules:
> >> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> >
> > I prefer to use "-m state --state NEW" or --syn for that. Other packets
> > should be allowed only for existing connections.
>
> Has to be NEW,ESTABLISHED doesn't it?
>
> Dave
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
ESTABLISHED is taken care of in the first rule.
I added the loopback interface to this as well. The kernel automatically
filters out everything not originating from the loopback with netmask
127.255.255.255 (no loopback spoofing), this rule makes sure that no loopback
traffic is blocked. I also drop all forwarding as another precaution.
Joshua
--
Joshua Rubin
Joshua.Rubin at Colorado.EDU
(303) 909-6199
http://www.cybertron.cc
Cassini Mission to Saturn
Ultraviolet Imaging Spectrograph (UVIS)
Assistant Team Lead
My PGP Public Key:
http://pgp.mit.edu:11371/pks/lookup?search=0xBECC02AE&op=index
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20041213/3992d5bf/attachment.pgp>
More information about the LUG
mailing list