Results 1 to 10 of 10

Thread: iptables

  1. #1


    I'm not familiar with iptables, so forgive my stupid question:
    I need to protect rh 7.2 box in such a way that all outgoing traffic is allowed, all incomming is not allowed, and all communictaions originating from the box are stateful.
    Which rules should I use.

  2. #2

    Re: iptables

    I've got the exact setup you want on my box at home. I'll post it when I get back home (I'm at school now).

  3. #3

    Re: iptables


  4. #4

    Re: iptables

    Ok, for iptables rules you want something like this:

    $iptables -F
    $iptables -X
    $iptables -P INPUT DROP
    # Drop some known-evil packets
    $iptables -A INPUT -i eth0 -p tcp -m state --state NEW -j DROP
    $iptables -A INPUT -m state --state INVALID -j DROP
    # Accept established connections
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Limit the amount of pings that are accepted
    $iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -m limit --limit 1/m -j ACCEPT
    # Drop the excess ones
    $iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j DROP
    # Accept other kinds of icmp traffic (but not pings)
    $iptables -A INPUT -i eth0 -p icmp -j ACCEPT
    # Allow local traffic
    $iptables -A INPUT -i lo -j ACCEPT
    # Drop all extra traffic!
    $iptables -A INPUT -i eth0 -j DROP
    # Accept all outbound packets
    $iptables -P OUTPUT ACCEPT
    Put that into a script and have it run by default during system boot. How you go about doing that will vary from distro to distro.

  5. #5

    Re: iptables

    Wow, actually I hate myself for asking this (after all I'm strong advocate of cli based systems-novell,*nix) but I don't really have a time to dig this. I was thinking about opening fwconfig gui in kde and making some rules......After all that's what I'm doing with Checkpoint at my work :-).
    It looks like I have no choice ;D
    Anyway, thanks for the script, I 'll use it on my rh7.2.
    P.S. I was trying to BTFW and find some 'human' tutorial for regarding iptables, couldn't find any, if you've got some link then pls post it here.

  6. #6

  7. #7

  8. #8

    Re: iptables


  9. #9

    Re: iptables

    Here's a few rules for you...I like rejecting SYN packets with an RST rather than just dropping them. A little more fun this way.

    # Tear down connection immediately with RST
    iptables -A INPUT -i eth0 -p tcp --syn -j REJECT --reject-with tcp-reset

    # Drop new non-SYN packets
    iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

    There are of course many different ways to accomplish the same goal. This link has a lot of example scripts that can give you some ideas.

    edit: oh yeah, on the bottom of that page they have links to ncurses based or gui based iptables configuration tools. However, my advice is read the iptables man page and read over a few scripts that other people have written and in no time you'll be writing rules.

  10. #10

    Re: iptables

    This link has a lot of example scripts that can give you some ideas. *
    Good link, Thanks..
    I've been stuck in the ipchains world and have been wanting to get a handle on iptables. Connection state tracking..good

Similar Threads

  1. iptables
    By digitalspy99 in forum Linux - General Topics
    Replies: 1
    Last Post: 08-05-2008, 03:42 AM
  2. Need help with iptables
    By Pioneo in forum Linux - Software, Applications & Programming
    Replies: 17
    Last Post: 04-28-2008, 01:33 AM
  3. GUI for iptables???
    By SwampDonkey in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 12-13-2002, 12:50 PM
  4. Where do iptables go?
    By flashingcurser in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 08-14-2002, 08:37 PM
  5. IPTables
    By MrMoray in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 12-18-2001, 08:31 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts