the general rules has been changed abit, here: #!/bin/bash #PlasmaWall rules NET_IPS="132.72.144.0/20 192.168.114.0/24" #setup defaults echo " - Flushing rules..." iptables -F echo " - Setting default policy..." iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP echo " - Setting input rules..." # accept all from localhost /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all previously established connections /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #input # ssh #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # ftp / webserver related /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT # Windows / Samba for host in $NET_IPS; do /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT done # up to 5 Bit-torrent connections /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT #flood defence #-N syn-flood #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN #/sbin/iptables -A syn-flood -j DROP # Handle fragment flood attacks /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " /sbin/iptables -A INPUT -f -j DROP #else /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: " /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable echo " - Setting output rules..." #output # accept all previously established connections /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT echo " done." On Fri 25 Jan 15:42 2008 mouss wrote: > Eial Czerwacki wrote: > > ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again. > > you guys say that this isnt the problem, now, after enabling it, is there any threat to my system? > > > > you mean enabled an output rule and it worked? now, I'm puzzled. post > the full config. > > and no, allowing output should not be a problem. > - > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
