Re: Help on this iptable script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Change the rules order to:

$IPT -N tcp_packets
....more stuff...

$IPT -A tcp_packets -p tcp -m multiport --destination-ports ${IN_PORTS} -j
ACCEPT
...more stuff...

$IPT -A INPUT -i eth0 -p tcp -j tcp_packets
...more stuff

instead of:
$IPT -N tcp_packets
....more stuff...

$IPT -A INPUT -i eth0 -p tcp -j tcp_packets
...more stuff

$IPT -A tcp_packets -p tcp -m multiport --destination-ports ${IN_PORTS} -j
ACCEPT
...more stuff...

HTH



---original message---

Hi All,
 
Sorry for asking this question again.  I have machine with single interface
card, We want to black all incoming, outgoing package other than
21,22,23,53,80,2020,3306,8080 ports.
 
When default OUTPUT policy is ACCEPT every thing working fine.
 
$IPT -P OUTPUT ACCEPT
 
 
If I make default OUTPUT policy is DROP, I was not able login using ssh,
also iptables -L command takes about 3 minutes to display the result.
 
$IPT -P OUTPUT DROP
 
What I am dong wrong? Any tips to improve this script
 
 
Thanks
-SR
 
#!/bin/bash

#set -xv

INT="eth0"

LO="lo"

ANY="Any/0"

PRIVP="0:1023"

UNPRI="1024:65535"

IN_PORTS="21,22,23,53,80,2020,3306,8080"

OUT_PORTS="21,22,23,53,80,2020,3306,8080"

IPT="/sbin/iptables"

# Set the Default Policies

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

$IPT -F

$IPT -X icmp_packets

$IPT -X tcp_packets

$IPT -X udp_packets


#Local Loopback Address

$IPT -A INPUT -i $LO -j ACCEPT

$IPT -A OUTPUT -o $LO -j ACCEPT

$IPT -N icmp_packets

$IPT -N tcp_packets

$IPT -N udp_packets

# Filter untrusted traffic

$IPT -A INPUT -i eth0 -p icmp -j icmp_packets

$IPT -A INPUT -i eth0 -p tcp -j tcp_packets

$IPT -A INPUT -i eth0 -p udp -j udp_packets

# Trust traffic we initiated from untrusted networks.

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log dropped traffic.

$IPT -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"IPT INPUT packet died: " --log-level 6

# Allow outbound traffic. 

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp -m multiport --source-ports ${OUT_PORTS} -j ACCEPT

$IPT -A OUTPUT -p udp -m multiport --source-ports ${OUT_PORTS} -j ACCEPT

# Log dropped traffic.

$IPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"IPT OUTPUT packet died: " --log-level 6

 

# Allow incoming ports 

$IPT -A tcp_packets -p tcp -m multiport --destination-ports ${IN_PORTS} -j
ACCEPT

## Manage the following ICMP traffic .

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 5 -j ACCEPT

$IPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPT -A icmp_packets -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT

$IPT -A icmp_packets -i lo -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow potentially untracked valid DNS traffic.

$IPT -A udp_packets -p udp -m udp --sport 53 -j ACCEPT

 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux