On Wednesday 14 April 2004 3:52 am, Luis GUSTAVO wrote: > i want Turn off all conections and ports in my machine iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP will do that for you. > and after i want turn on only what i need, do you understand me? iptables -A INPUT -p tcp --dport xyz -j ACCEPT will enable a service which is running on the machine with the rules, and iptables -A FORWARD -d a.b.c.d -p tcp --dport xyz -j ACCEPT will enable forwarding packets to some other machine Obviously you will need to add the standard ESTABLISHED,RELATED rules for connection tracking replies etc, however the above is a start. > thank you I also recommend that you read some of the documentation at http://www.netfilter.org/documentation, and Oskar Andreasson's tutorial at http://iptables-tutorial.frozentux.net Hope this helps, Antony. PS: Please don't top-post, and please reply to the list. > Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Tuesday 13 April 2004 10:28 pm, Luis GUSTAVO wrote: > > Hi, > > > > i´m looking for a script for my adsl conection. > > Er, that's not a very helpful description, but anyway... > > > i found this > > > > iptables -F > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -P FORWARD DROP > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT > > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT > > Hmmm. Looks like one of mine :) > > > when i apllyed this rules, my machines clients, don´t know acces my > > machine. > > I tell you what - you let us know what you'd like your firewall to do, and > we might be able to help you. > > If you don't tell us what your network setup is, and what you want your > firewall to do for you, we might not be able to suggest the perfect ruleset > for your needs. > > I *did* say when I posted the above ruleset that it allowed me to access > *from* the machine the rules were running on *to* other systems by SSH, and > blocked *all access in to my machine* (which is what I consider to be > secure). > > Therefore that fact that after you've applied these rules to your machine, > your clients can't access the system, suggests that the ruleset is working > correctly. > > Tell us what you'd like to be different (and preferably tell us what you've > tried yourself and had problems with) and we'll see what we can do to help. > > Regards, > > Antony -- "Linux is going to be part of the future. It's going to be like Unix was." - Peter Moore, Asia-Pacific general manager, Microsoft
