Re: decrypting iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
On Sun, 2008-11-30 at 11:49 -0500, Tom Horsley wrote:
Any other less cryptic GUI options

I suppose that depends on what you mean by cryptic.  Is it the syntax of
the commands that you don't understand, or the functions that a rule
needs?

I used to set mine using a script, with a pile of iptables commands.
That made it easy to repeat (run the script again), easy to undo changes
(you can comment out things, and try variations), and much more flexible
than anybody's control GUI.  I'd run the script to change or apply the
settings.  It saved them in the place iptables loads its initial
settings, so the computer would always boot up with my configuration,
without me needing to modify anything.

Something like the following example (which dates back to when I used
dialup).  I always used the expanded, rather than abbreviated, commands;
it's easier to interpret.

#!/bin/bash

## Turn off IP forwarding while altering configuration:
## (Put it back on again, at end, if needed.)

echo 0 > /proc/sys/net/ipv4/ip_forward

## Flush any pre-existing rules:

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain

## Set default (policy) rules:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT


## Drop non-internet networking addresses on the internet connection:

iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.168.0.0/16
iptables --append INPUT --jump DROP --in-interface ppp+ --source 172.16.0.0/12
iptables --append INPUT --jump DROP --in-interface ppp+ --source 10.0.0.0/8
iptables --append INPUT --jump DROP --in-interface ppp+ --source 127.0.0.0/8
iptables --append INPUT --jump DROP --in-interface ppp+ --source 169.254.0.0/16
iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.0.2.0/24
iptables --append INPUT --jump DROP --in-interface ppp+ --source 204.152.64.0/23
iptables --append INPUT --jump DROP --in-interface ppp+ --source 224.0.0.0/3


## Accept some things:

iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port 80
iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port https

## Allow established and related outside commications to this system,
## and allow outside communications to the firewall, except for ICMP packets:
## (Could be tightened up, adding conditions about specific ports.)

iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol \! icmp --jump ACCEPT


## Prevent connections initiated from the outside world:
## (Can interfere with some services which connect back, later on, such as file transfers or webcams on IM programs.)

iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump DROP


## Allow all local communications to and from the firewall on ETH from the local network:

iptables --append INPUT --jump ACCEPT --protocol all --in-interface eth+ --source 192.168.0.0/16

I usually just accept all the ESTABLISHED connections, and put that rule 1st or very high in the ruleset, to avoid going through lots of rules when most packets are for running TCP.

Do you have any ESTABLISHED that you wouldn't ACCEPT? I just take them all.

## Internet connection sharing:
## Set up masquerading to allow internal machines access to outside network:
#iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE

## Turn on IP forwarding, only needed for above internet connection sharing rule:
#echo 1 > /proc/sys/net/ipv4/ip_forward


## Save iptables rules to the default iptables rules file (used at boot-up):
## (Red Hat's own /etc/init.d/iptables script looks here.)

iptables-save > /etc/sysconfig/iptables


Someone posted here that
  service iptables save
was a better way to do that, in case that name ever changes. I mention that just out of completeness, not conviction. ;-)

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux