Your iptables scares me a bit, do we really have to do all that stuff
like "echo to /proc/sys/...". I was a TP professional many years ago
but since the internet I have become a novice, thus running scared.
My script is simple, and perhaps too simple???? for some 6 PC's.
I even have FTP/20+21 turned off most of the time, and I question some
of the others (put them on due to err-log messages).
============================================================
#!/bin/sh
# /opt/sbin/ziptables
# /etc/init.d/local
#
iptables -t mangle -F # flush all: mangle,nat,filter
iptables -t nat -F # flush all: mangle,nat,filter
iptables -t filter -F # flush all: mangle,nat,filter
iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
iptables -A FORWARD -j DROP
#
# PASS ICMP TYPE 3 PACKETS (avoid ping, allow nfs)
# iptables -A INPUT -j ACCEPT -p icmp -m icmp --icmp-type 3
# iptables -A OUTPUT -j ACCEPT -p icmp -m icmp --icmp-type 3
#
# [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL
PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
# [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
# [EMAIL PROTECTED],[EMAIL PROTECTED]
# [EMAIL PROTECTED],MOUNTD@(add "MOUNTD_PORT=33333" to /etc/sysconfig/nfs)
# [EMAIL PROTECTED]
iptables -A INPUT -j ACCEPT -p tcp -m multiport --port
20,21,25,37,80,110,111,119,443
iptables -A OUTPUT -j ACCEPT -p tcp -m multiport --port
25,37,80,110,111,119,443
iptables -A INPUT -j ACCEPT -p udp -m multiport --port
53,67,68,111,520,631
iptables -A OUTPUT -j ACCEPT -p udp -m multiport --port
53,67,68,111,520,631,5353
#
# LOG DROP THROUGHS FOR DIAGNOSTICS, WRITTEN TO /var/log/messages
iptables -A INPUT -j LOG --log-prefix ZZI-
iptables -A OUTPUT -j LOG --log-prefix ZZO-
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -L
#
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
