I need to run the script again after the ip-address supplied by the
cablemodem is changed to the comcast address. Is there a way to supply the
new address automatically? Besides that is works OK.
What would be the most paranoid host based iptables ruleset you can have and
still get access to the web and dhcp and whatever else those two things
need?
#!/bin/sh
IPT='/sbin/iptables'
IN='-A INPUT'
OUT='-A OUTPUT'
ALLOW='-j ACCEPT'
BLOCK='-j DROP'
STATE='-m state --state'
EXTADDR=`ifconfig eth0 | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2
}'`
$IPT -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT $IN $STATE INVALID,NEW $BLOCK
$IPT $IN $STATE ESTABLISHED -i eth0 -d $EXTADDR -s ! $EXTADDR $ALLOW
$IPT $IN $BLOCK
$IPT $OUT $STATE INVALID $BLOCK
$IPT $OUT $STATE NEW,ESTABLISHED -o eth0 -s $EXTADDR -d ! $EXTADDR $ALLOW
$IPT $OUT $BLOCK
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
