<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>On the topic of iptables, I've found that
although "iptables -L" describes the rules in effect, it doesn't present
them in the way that I've presented them to iptables. My preference is to
develop a script that starts with flushing iptables, setting the policies and
dropping and accepting as needed. I also use the /etc/rc.local to start iptables
after a reboot.</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2></FONT></DEFANGED_SPAN> </p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2># flush all
chains<BR>iptables -F<BR>#<BR># set
policies<BR>iptables -P INPUT DROP<BR>iptables -P OUTPUT ACCEPT<BR>iptables -P
FORWARD DROP<BR>#<BR>#<BR># accept
everything from localhost and own address<BR>iptables -A INPUT -i lo -j
ACCEPT<BR>iptables -A INPUT -s xxx.xxx.254.188 -j
ACCEPT<BR>#<BR># accept everything from djk
M$ machine<BR>iptables -A INPUT -s xxx.xxx.254.179 -j
ACCEPT<BR>#<BR># accept everything from
xxxxxxxx machine<BR>iptables -A INPUT -s xxx.xxx.248.172 -j
ACCEPT<BR>#<BR># DROP all from xxxxxxxx
network<BR>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP<BR>iptables
-A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j
DROP<BR>#</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2># iptables -A INPUT -j LOG --log-prefix
"DJK---"<BR># ssh
allowed</FONT></DEFANGED_SPAN></p><DEFANGED_DIV>
<p><DEFANGED_DIV dir=ltr align=left><DEFANGED_SPAN class=588045712-23052006><FONT face=Arial
color=#0000ff size=2>iptables -A INPUT -m state --state NEW -m tcp -p tcp -s
xxx.xxx.224.0/255.255.224.0 --dport 22 -j ACCEPT<BR>#<BR># pings
allowed<BR>iptables -A INPUT -p icmp --icmp-type any -j ACCEPT<BR>#<BR>#
establisted connections allowed<BR>iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT<BR>#<BR># save
the rules<BR>service iptables save<BR></p><DEFANGED_DIV></FONT></DEFANGED_SPAN>
<p><DEFANGED_DIV> </p><DEFANGED_DIV><!-- Converted from text/rtf format -->
<P><DEFANGED_SPAN lang=en-us><B><I><FONT face=Arial size=2><DEFANGED_SPAN
class=588045712-23052006>DJK</DEFANGED_SPAN></FONT></I></B></DEFANGED_SPAN></P></BODY></HTML>