Volkm@r wrote:
Georgi Alexandrov wrote:About the ICMP - it's good (my opinion) to let at least those three icmp types so we have proper network functions.
something like this:
######################### start ###########################
iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t mangle -F iptables -t mangle -X iptables -t mangle -Z
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
############################# end #################################
I think the above ruleset is sufficient. If you have any questions about it - just ask.
regards, Georgi Alexandrov
Hi Georgi, Thanks a lot for your fast response. Now it looks much easier to understand. Now I have two more questions.
1. What is the advantage of putting those "-p icmp" rules? 2. How could I add logging (fore some time, to see what's going on)?
Thanks again Volkm@r
reference: http://www.faqs.org/docs/iptables/icmptypes.html
About the logging - If you want for example to log all the auth requests (tcp/113) made to your machine, we will put the following rule above the -j REJECT one:
iptables -A INPUT -p tcp --syn --dport 113 -j LOG --log-prefix "Auth Request" iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
This way we will have all auth requests logged and then rejected.
You can examine the example rc.firewall script at iptables-tutorial.frozentux.net for some more logging examples.
regards, Georgi Alexandrov
