Reid írta:
I am brand new to iptables, and I want to setup a basic firewall for a dedicated web server. I'm
accessing the server remotely, and already locked myself out once.
I've come up with the configuration below, but feel like I don't know what I'm doing. Does the
following look reasonable? Am I overlooking anything major? Thank you for input.
Nope.. This is NOT reasonable...
You have set the first rule in your INPUT chain to ACCEPT everything
from anywhere... :D
The following rules will never get hit !!!
Try the "iptables -vnL" command to see it !!!
The last rule is also "useless" because your DEFAULT POLICY is DROP.
In the other hand without those two rules it seems ok... (Depending on
what you want to achieve...) :D
Just to guide you:
1. I would enable the lo interface to ACCEPT everything...
2. Accept anything that ESTABLISHED or RELATED
3. I would group up the rules depending on the protocol...
Swifty
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
DROP tcp -- anywhere anywhere tcp dpts:2049:2050
DROP tcp -- anywhere anywhere tcp dpts:x11:6063
DROP tcp -- anywhere anywhere tcp dpts:afs3-fileserver:7010
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7