On 31 Oct 2003, Chris Brenton wrote: > On Fri, 2003-10-31 at 07:26, Robert P. J. Day wrote: > > > > for the iptables tutorial i was talking about that i'm giving on monday, > > here's the first part of my script, just to show folks what they can do: > > This is *totally* cool. Thank you for sharing this with the list! :) > > The only thing I would add would be: > iptables -F INPUT > iptables -F OUTPUT > iptables -F FORWARD > iptables --table nat --flush > > or what ever you need. This way you can run it from the command line and > clear out all existing rules before you write everything back in. ah, grasshopper, i didn't show you the other two scripts i'm going to demo. first, there's the lockdown script, to be run if you realize you've been hacked: --------------------------------------------------------- #!/bin/sh # PANIC! Lock the machine down. IPT="/sbin/iptables" # Flush all chains. $IPT -F # by default filter $IPT -t nat -F $IPT -t mangle -F # Delete all user-defined chains. for table in filter nat mangle ; do $IPT -t $table -X done # Reset all policies to DROP. for chain in INPUT OUTPUT FORWARD ; do $IPT -P $chain DROP done echo "System totally locked down." ----------------------------------------------------------- and then there's the "clear all" script, which you would run if you made a total mess of your rules and just want to clear them out: ---------------------------------------------------------- #!/bin/sh # PANIC! We've screwed up our tables. IPT="/sbin/iptables" # Flush all chains. $IPT -F $IPT -t nat -F $IPT -t mangle -F # Delete all user-defined chains. for table in filter nat mangle ; do $IPT -t $table -X done # Reset all policies to ACCEPT. for chain in INPUT OUTPUT FORWARD ; do $IPT -P $chain ACCEPT done echo "System totally open, you are now fair game." ------------------------------------------------- the tutorial will suggest that users can incorporate the above in their main script any way they want. rday
