Re: Request for comments: iptables script for use on laptops.

Mon, 22 May 2006 23:46:09 -0700 

Hi,

You have FORWARD policy set to DROP (not by default but by rule) -> you don't 
need "echo ... /ip_forward"

I don't like to log all what it drop, it can make full a partition and it is 
not good :)

bye


> Your iptables scares me a bit, do we really have to do all that stuff
> like "echo to /proc/sys/...".  I was a TP professional many years ago
> but since the internet I have become a novice, thus running scared.
>
> My script is simple, and perhaps too simple???? for some 6 PC's.
> I even have FTP/20+21 turned off most of the time, and I question some 
> of the others (put them on due to err-log messages).
>
> ============================================================
>
> #!/bin/sh
> # /opt/sbin/ziptables
> # /etc/init.d/local
> #
>    iptables -t mangle -F              # flush all: mangle,nat,filter
>    iptables -t nat    -F              # flush all: mangle,nat,filter
>    iptables -t filter -F              # flush all: mangle,nat,filter
>    iptables -A INPUT  -j ACCEPT -s 127.0.0.1      # local host
>    iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>    iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
>    iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
>    iptables -A FORWARD -j DROP
> #
> # PASS ICMP TYPE 3 PACKETS (avoid ping, allow nfs)
> # iptables -A INPUT  -j ACCEPT -p icmp -m icmp --icmp-type 3
> # iptables -A OUTPUT -j ACCEPT -p icmp -m icmp --icmp-type 3
> #
> # [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL 
> PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
> # [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
> # [EMAIL PROTECTED],[EMAIL PROTECTED]
> # [EMAIL PROTECTED],MOUNTD@(add "MOUNTD_PORT=33333" to /etc/sysconfig/nfs)
> # [EMAIL PROTECTED]
>
>    iptables -A INPUT  -j ACCEPT -p tcp -m multiport --port
> 20,21,25,37,80,110,111,119,443
>
>    iptables -A OUTPUT -j ACCEPT -p tcp -m multiport --port
> 25,37,80,110,111,119,443
>
>    iptables -A INPUT  -j ACCEPT -p udp -m multiport --port
> 53,67,68,111,520,631
>
>    iptables -A OUTPUT -j ACCEPT -p udp -m multiport --port
> 53,67,68,111,520,631,5353
> #
> # LOG DROP THROUGHS FOR DIAGNOSTICS,  WRITTEN TO /var/log/messages
>    iptables -A INPUT  -j LOG --log-prefix ZZI-
>    iptables -A OUTPUT -j LOG --log-prefix ZZO-
>    iptables -A INPUT  -j DROP
>    iptables -A OUTPUT -j DROP
>    iptables -L
> #
>

Reply via email to