I'm not familiar with iptables, so forgive my stupid question:
I need to protect rh 7.2 box in such a way that all outgoing traffic is allowed, all incomming is not allowed, and all communictaions originating from the box are stateful.
Which rules should I use.
thx.
I've got the exact setup you want on my box at home. I'll post it when I get back home (I'm at school now).
thanks.
Ok, for iptables rules you want something like this:
Put that into a script and have it run by default during system boot. How you go about doing that will vary from distro to distro.Code:iptables="/sbin/iptables" $iptables -F $iptables -X $iptables -P INPUT DROP # Drop some known-evil packets $iptables -A INPUT -i eth0 -p tcp -m state --state NEW -j DROP $iptables -A INPUT -m state --state INVALID -j DROP # Accept established connections $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Limit the amount of pings that are accepted $iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -m limit --limit 1/m -j ACCEPT # Drop the excess ones $iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j DROP # Accept other kinds of icmp traffic (but not pings) $iptables -A INPUT -i eth0 -p icmp -j ACCEPT # Allow local traffic $iptables -A INPUT -i lo -j ACCEPT # Drop all extra traffic! $iptables -A INPUT -i eth0 -j DROP # Accept all outbound packets $iptables -P OUTPUT ACCEPT
Wow, actually I hate myself for asking this (after all I'm strong advocate of cli based systems-novell,*nix) but I don't really have a time to dig this. I was thinking about opening fwconfig gui in kde and making some rules......After all that's what I'm doing with Checkpoint at my work :-).
It looks like I have no choice ;D
Anyway, thanks for the script, I 'll use it on my rh7.2.
P.S. I was trying to BTFW and find some 'human' tutorial for regarding iptables, couldn't find any, if you've got some link then pls post it here.
thanks.
THanks.
Here's a few rules for you...I like rejecting SYN packets with an RST rather than just dropping them. A little more fun this way.
# Tear down connection immediately with RST
iptables -A INPUT -i eth0 -p tcp --syn -j REJECT --reject-with tcp-reset
# Drop new non-SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
There are of course many different ways to accomplish the same goal. This link has a lot of example scripts that can give you some ideas. http://www.linuxguruz.org/iptables/
edit: oh yeah, on the bottom of that page they have links to ncurses based or gui based iptables configuration tools. However, my advice is read the iptables man page and read over a few scripts that other people have written and in no time you'll be writing rules.
Good link, Thanks..
This link has a lot of example scripts that can give you some ideas. *http://www.linuxguruz.org/iptables/
I've been stuck in the ipchains world and have been wanting to get a handle on iptables. Connection state tracking..good
Posting Permissions
Reply With Quote
Bookmarks