[GRLUG] emergency
Kaminski, Dennis J
Dennis.Kaminski at Siemens.com
Tue May 23 09:09:03 EDT 2006
On the topic of iptables, I've found that although "iptables -L"
describes the rules in effect, it doesn't present them in the way that
I've presented them to iptables. My preference is to develop a script
that starts with flushing iptables, setting the policies and dropping
and accepting as needed. I also use the /etc/rc.local to start iptables
after a reboot.
# flush all chains
iptables -F
#
# set policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
#
# accept everything from localhost and own address
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s xxx.xxx.254.188 -j ACCEPT
#
# accept everything from djk M$ machine
iptables -A INPUT -s xxx.xxx.254.179 -j ACCEPT
#
# accept everything from xxxxxxxx machine
iptables -A INPUT -s xxx.xxx.248.172 -j ACCEPT
#
# DROP all from xxxxxxxx network
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
iptables -A INPUT -s xxx.xxx.xxx.0/255.255.255.0 -j DROP
#
# iptables -A INPUT -j LOG --log-prefix "DJK---"
# ssh allowed
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s
xxx.xxx.224.0/255.255.224.0 --dport 22 -j ACCEPT
#
# pings allowed
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
#
# establisted connections allowed
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# save the rules
service iptables save
DJK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shinobu.grlug.org/pipermail/grlug/attachments/20060523/469edce7/attachment.htm
More information about the grlug
mailing list