On Sun, Aug 17, 2003 at 11:38:42PM -0400, Bret Comstock Waldow wrote: > I want to get iptables running on my laptop. I'm behind a > gateway/router now, but I'll be on the road in a few weeks. > > I see lots of docs about what rules to write for doing this, stopping > that, etc. > > Where do I put them? > > How do I start an iptable firewall when my system starts? What file > where holds all those keen rules all the docs are giving me recipes for?
I use a script from /etc/init.d with approrpriate links to rc*.d (make
with update-rc.d)
If you want to set things up on ppp0, then put the script in
/etc/ppp/ip-up.d to bring firewall up and /etc/ppp/ip-down.d/ to
take it down again.
I basically made this up myself from a few docs, do I take no
responsibility if it's a dodgy script:
Hope that helps
cheers
dc
#! /bin/sh
# /etc/init.d/firewall
#
case "$1" in
start)
echo "Bringing up firewall..."
# start traffic shaping
/usr/local/bin/wshaper-dsl start
# initialise iptables chains
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
# make sure ftp module is insterted
if ! (lsmod | grep -q ip_conntrack_ftp); then
modprobe -q ip_conntrack_ftp;
fi
# setup nat
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# create block table
iptables -N block_in
# incoming connection blocking
# allow established connections
iptables -A block_in -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow new connections from inside machine and localnet
iptables -A block_in -m state --state NEW -i ! eth1 -j ACCEPT
# allow ping
iptables -A block_in -p icmp -j ACCEPT
# allow ssh and a few other connections
iptables -A block_in -m state --state NEW -p tcp --dport ssh -j ACCEPT
iptables -A block_in -m state --state NEW -p udp --dport 68 --sport 67 -d
255.255.255.255 -j ACCEPT
iptables -A block_in -m state --state NEW -p tcp --dport http -j ACCEPT
iptables -A block_in -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A block_in -m state --state NEW -p tcp --dport 25 -j ACCEPT
#open port 400 for circlmud
iptables -A block_in -m state --state NEW -p tcp --dport 4000 -j ACCEPT
# some things we don't bother to log
iptables -A block_in -m state --state NEW -p tcp --dport 113 -j REJECT
iptables -A block_in -i eth1 -s 203.87.20.174 -d 203.87.20.255 -p udp --dport 513
--sport 513 -j REJECT
iptables -A block_in -m state --state NEW -p tcp --dport 445 -j DROP
iptables -A block_in -m state --state NEW -p tcp --dport 80 -j DROP
# drop and log everything else
iptables -A block_in -j LOG
iptables -A INPUT -j block_in
iptables -A FORWARD -j block_in
;;
stop)
echo "Bringing down firewall..."
/usr/local/bin/wshaper-dsl stop
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -X block_in
# iptables -X block_out
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
;;
restart|reload|force-reload)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart|reload}"
exit 1
;;
esac
--
David Purton
[EMAIL PROTECTED]
If you, O LORD, kept a record of sins, O Lord, who could stand?
Psalm 130:3
pgp00000.pgp
Description: PGP signature
