Re: iptables on Satellite receive only linux PC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



These are the default values. It still does'nt work. Can any one kindly go
through my script and tell me the mistake I am making. This is a Linux PC with
receive only pentanet card.

Thanks for all the help.
IPTABLES="/sbin/iptables"
IP1=212.15.150.9
#

#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#

#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an
attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
Firewalled:
$IPTABLES -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in
the
# wild. All of these are illegal combinations that are used to attack a
box
# in various ways.
#
$IPTABLES -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# the above line will allow traffic from loopback interface
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note
that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP

# connections and to only allow ssh/scp/sftp.
#
# Allow ssh frpm anywhere to this server
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT
#
#
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 123 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything
with
# something like. Be sure to set IP at the top of this script if you
enable one
# of these.
#
#$IPTABLES -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT

#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPTABLES -A INPUT -j firewalled

>Actually assuming that the satellite card is pentanet0 you want

>echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
>echo 1 > /proc/sys/net/ipv4/conf/pentanet0/rp_filters

>To only turn off spoofing protection on the one interface.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux