Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
IPTABLES: block ALL incoming and outgoing except...
Results 1 to 3 of 3

Thread: IPTABLES: block ALL incoming and outgoing except...

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    IPTABLES: block ALL incoming and outgoing except...

    Hi,

    Can someone help me with getting IPTABLES to block all traffic except for local subnets. I don't want ANY (icmp,tcp,udp) traffic coming into or going from my box and across the router.

    From /sbin/iptables-save. ip addresses have been altered. 64.30.14.0/24, 64.30.15.0/24, 64.30.237.0/24 are my local subnets.

    --------------------------------
    # Generated by iptables-save v1.2.5 on Sun Apr 27 11:26:14 2003
    *filter
    :INPUT DROP [3195:172926]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [3126:156418]
    -A INPUT -s 64.30.15.0/255.255.255.0 -p tcp -m multiport --dports ssh,6000 -j ACCEPT
    -A INPUT -s 64.30.14.0/255.255.255.0 -p tcp -m multiport --dports ssh,6000 -j ACCEPT
    -A INPUT -s 64.30.237.0/255.255.255.0 -p tcp -m multiport --dports ssh -j ACCEPT
    -A INPUT -s ! 127.0.0.1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
    -A INPUT -s 64.30.15.0/255.255.255.0 -j ACCEPT
    -A INPUT -s 64.30.14.0/255.255.255.0 -j ACCEPT
    -A INPUT -s 64.30.237.0/255.255.255.0 -j ACCEPT
    -A OUTPUT -s 64.30.15.0/255.255.255.0 -j ACCEPT
    -A OUTPUT -s 64.30.14.0/255.255.255.0 -j ACCEPT
    -A OUTPUT -s 64.30.237.0/255.255.255.0 -j ACCEPT
    COMMIT
    # Completed on Sun Apr 27 11:26:14 2003
    --------------------------------

    Can anyone maybe suggest a more elegant way of doing this?

    Also I load this file from /etc/rc.d/rc.local, however, I believe the network interface is configured before rc.local is run which means the interface is not restricted by the firewall. If suppose ntp or something that I don't know about is pointing somewhere outside my LAN it will be able to get access to it. Is there someway around that?

    Thanks.

  2. #2

    Re:IPTABLES: block ALL incoming and outgoing except...

    Is iptables-save a firewall script writing program?

    Usually I write all my iptables scripts by hand, and it's been a while since I have done so, so I'm not completely familiar with the syntax of your script (the :FORWARD part, for instance) , but as a rule of thumb, the order, from top to bottom, of your rules is the order in which they are applied to a packet, so what you need to do is define all your allowable traffic, and then end your rulset with a "drop and log all" clause.

    In Checkpoint terminology this is called the "cleanup rule" and is essential to a good firewall. As long as you have a cleanup rule, then only that traffic with you specifically allow will make it to, or through, your box.

    Also, try making a startup script in your appropriate Rc.d directory that will load before the network is brought up so that iptables are loaded into the kernel before your interface comes up. One caveat however, if you get your IP viah DHCP, this will cause problems.

  3. #3

    Re:IPTABLES: block ALL incoming and outgoing except...

    well your router shouldn't be sending anything to it, unless you have ports forwarded. and you can just set a static IP on the linux box and leave the default gateway blank. Then the computer won't know about the router and nothing will go out on the net from it. You should have a firewall, but this is a nice, fast and simple solution to use until you learn IPTables.

Similar Threads

  1. How can block 443 port per user using iptables
    By khaledjamel in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 12-01-2011, 02:05 PM
  2. Incoming SMS to database
    By jkrise in forum Linux - Hardware, Networking & Security
    Replies: 0
    Last Post: 10-07-2009, 10:14 AM
  3. allowing incoming http requests-iptables-red hat 9.0
    By s_hcl in forum Linux - Software, Applications & Programming
    Replies: 25
    Last Post: 08-24-2006, 05:52 AM
  4. Using IPTABLES to block access to samba except certain IPs
    By addicted2linux in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 02-01-2006, 04:02 PM
  5. syslogd: how to redirect incoming logs
    By Blaqb0x in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 02-26-2004, 11:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •