Help on this iptable script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: Using IPTABLES, cannot go to External Interface
ï
Hi All,
 
Sorry for asking this question again.  I have machine with single interface card, We want to black all incoming, outgoing package other than 21,22,23,53,80,2020,3306,8080 ports.
 
When default OUTPUT policy is ACCEPT every thing working fine.
 
$IPT -P OUTPUT ACCEPT
 
 
If I make default OUTPUT policy is DROP, I was not able login using ssh, also iptables -L command takes about 3 minutes to display the result.
 
$IPT -P OUTPUT DROP
 
What I am dong wrong? Any tips to improve this script
 
 
Thanks
-SR
 

#!/bin/bash

#set -xv

INT="eth0"

LO="lo"

ANY="Any/0"

PRIVP="0:1023"

UNPRI="1024:65535"

IN_PORTS="21,22,23,53,80,2020,3306,8080"

OUT_PORTS="21,22,23,53,80,2020,3306,8080"

IPT="/sbin/iptables"

# Set the Default Policies

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

$IPT -F

$IPT -X icmp_packets

$IPT -X tcp_packets

$IPT -X udp_packets

#Local Loopback Address

$IPT -A INPUT -i $LO -j ACCEPT

$IPT -A OUTPUT -o $LO -j ACCEPT

$IPT -N icmp_packets

$IPT -N tcp_packets

$IPT -N udp_packets

# Filter untrusted traffic

$IPT -A INPUT -i eth0 -p icmp -j icmp_packets

$IPT -A INPUT -i eth0 -p tcp -j tcp_packets

$IPT -A INPUT -i eth0 -p udp -j udp_packets

# Trust traffic we initiated from untrusted networks.

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log dropped traffic.

$IPT -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 6

# Allow outbound traffic.

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp -m multiport --source-ports ${OUT_PORTS} -j ACCEPT

$IPT -A OUTPUT -p udp -m multiport --source-ports ${OUT_PORTS} -j ACCEPT

# Log dropped traffic.

$IPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 6

 

# Allow incoming ports

$IPT -A tcp_packets -p tcp -m multiport --destination-ports ${IN_PORTS} -j ACCEPT

## Manage the following ICMP traffic .

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 5 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPT -A icmp_packets -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT

$IPT -A icmp_packets -i lo -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow potentially untracked valid DNS traffic.

$IPT -A udp_packets -p udp -m udp --sport 53 -j ACCEPT

 


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux