Critique my iptables

D

Dew

2[H]4U
Joined
Jun 23, 2003
Messages
3,854
Here is my setup:
DSL Modem/Router(Actiontec GT-701) with DMZ set to my linux box. Here is my iptables config script, any comments/additions/notes on my config are welcome.

#File: /home/root/iptablesupdate.sh


#Flush all tables and zero all counters
/sbin/iptables -F
/sbin/iptables -Z

#Rename all existing RedHat Chain (If Exists)
/sbin/iptables -E RH-Firewall-1-INPUT Firewall-DROP
#Create needed custom chains
/sbin/iptables -N Firewall-DROP
/sbin/iptables -N Firewall-ACCEPT
/sbin/iptables -N Firewall-REJECT
#You will get errors from the above commands, you can ignore them

#Rules are listed in processing order
/sbin/iptables -A INPUT -j Firewall-DROP
/sbin/iptables -A INPUT -j Firewall-ACCEPT
/sbin/iptables -A INPUT -j Firewall-REJECT
#/sbin/iptables -A FORWARD -j Firewall-DROP
#/sbin/iptables -A FORWARD -j Firewall-ACCEPT
#Rejects all forwarded traffic, uncomment previous lines if acting as a NAT
/sbin/iptables -A FORWARD -j Firewall-REJECT

##################
#***DROP TABLE***#
##################
#DROP VNC requests from the internet
/sbin/iptables -A Firewall-DROP -s 192.168.0.1 -p tcp -m tcp --dport 5800:6000 -j DROP
#VNC END
#DROP Samba requests from the internet
/sbin/iptables -A Firewall-DROP -s 192.168.0.1 -p udp -m udp --dport 137:139 -j DROP
/sbin/iptables -A Firewall-DROP -s 192.168.0.1 -p tcp -m tcp --dport 137:139 -j DROP
#Samba END
#DROP SSH requests from the internet
/sbin/iptables -A Firewall-DROP -s 192.168.0.1 -p tcp -m tcp --dport 22 -j DROP
#SSH END

####################
#***ACCEPT TABLE***#
####################
#VNC
/sbin/iptables -A Firewall-ACCEPT -p tcp -m tcp --dport 5800:6000 -j ACCEPT
#VNC END
#Samba
/sbin/iptables -A Firewall-ACCEPT -p udp -m udp --dport 137:139 -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -p tcp -m tcp --dport 137:139 -j ACCEPT
#Samba END
#SSH
/sbin/iptables -A Firewall-ACCEPT -p tcp -m tcp --dport 22 -j ACCEPT
#SSH END
#Azureus
/sbin/iptables -A Firewall-ACCEPT -p tcp -m tcp --dport 6881:6899 -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -p udp -m udp --dport 6881:6899 -j ACCEPT
#Azureus END
#RedHat Defaults
/sbin/iptables -A Firewall-ACCEPT -i lo -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -p ipv6-crypt -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -p ipv6-auth -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
#CUPS /sbin/iptables -A Firewall-ACCEPT -p udp -m udp --dport 631 -j ACCEPT
/sbin/iptables -A Firewall-ACCEPT -m state --state RELATED,ESTABLISHED -j ACCEPT
#RedHat Defaults END


####################
#***REJECT TABLE***#
####################
#Reject All traffic not previously covered
/sbin/iptables -A Firewall-REJECT -j REJECT --reject-with icmp-host-prohibited
#Reject All END


/sbin/iptables-save > /etc/sysconfig/iptables
/sbin/service iptables status

#End of File
 
Have a look into FireHol (your distro should have it or you can just get it)

someone has taken the pain out of writing IPtable scripts.
In about 4lines of failing plain English you can get a IPTable like yours


With Firehol you have the option of either running it as a service so each boot it manages the firewall (has some stra commands you can use)

OR make it generate & save the IPtables script so you dont have to worry abt writing one

Check it out
 
You must log in or register to reply here.
Back
Top