as a really low-level iptables intro i'm giving this monday, i'm going to show and explain something like the following. it's deliberately simplified as i have only about a half hour, but i'm interested in whether anyone here has any kind of visceral reaction to this configuration -- whether i'm suggesting anything violently insecure or anything like that. (i've removed a lot of preliminary variable setting, just wanting to show the salient stuff.) ------------------------ ALLOWED_INCOMING_SERVICES="ssh http" DISALLOWED_OUTGOING_SERVICES="telnet" ####################################################### # Set the chain policies. ####################################################### $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT # Purists probably hate this. ####################################################### # Start with some REALLY basic rules. ####################################################### $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ####################################################### # Kill really bad outgoing services. ####################################################### for s in $DISALLOWED_OUTGOING_SERVICES ; do $IPT -A OUTPUT -p tcp --dport $s -j DROP done ####################################################### # Allow a very small set of incoming services. ####################################################### for s in $ALLOWED_INCOMING_SERVICES ; do $IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport $s -j ACCEPT done ------------------------------ yes, it could be fancier, but it's meant to be a starting point for total newbies. thoughts? rday
