On Thu, 30 Oct 2003 07:30:47 -0500 (EST), "Robert P. J. Day" <rpjday@xxxxxxxxxxxxxx> wrote in message <Pine.LNX.4.44.0310300725550.18040-100000@xxxxxxxxxxxxxxxxxxxxx>: > > as a really low-level iptables intro i'm giving this monday, > i'm going to show and explain something like the following. > it's deliberately simplified as i have only about a half hour, > but i'm interested in whether anyone here has any kind of > visceral reaction to this configuration -- whether i'm suggesting > anything violently insecure or anything like that. (i've removed > a lot of preliminary variable setting, just wanting to show the > salient stuff.) > > ------------------------ > > ALLOWED_INCOMING_SERVICES="ssh http" > DISALLOWED_OUTGOING_SERVICES="telnet" > > ####################################################### > # Set the chain policies. > ####################################################### > > $IPT -P INPUT DROP > $IPT -P FORWARD DROP > $IPT -P OUTPUT ACCEPT # Purists probably hate this. > > > ####################################################### > # Start with some REALLY basic rules. > ####################################################### > > $IPT -A INPUT -i lo -j ACCEPT > $IPT -A OUTPUT -o lo -j ACCEPT > > $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > ####################################################### > # Kill really bad outgoing services. > ####################################################### > > for s in $DISALLOWED_OUTGOING_SERVICES ; do > $IPT -A OUTPUT -p tcp --dport $s -j DROP > done .." -j DROP " times out boxes in your lan, you may want " -j REJECT". > ####################################################### > # Allow a very small set of incoming services. > ####################################################### > > for s in $ALLOWED_INCOMING_SERVICES ; do > $IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport $s -j ACCEPT > done > > ------------------------------ > > yes, it could be fancier, but it's meant to be a starting > point for total newbies. > > thoughts? > > rday > > -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
