Re: correct net fitler rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/10/31 Ralph Blach <rblach@xxxxxxxxxx>
>
> I am not so good at writing what I wish to accomplish
>
> I am often not at home and wish to access my system.  That means when I ssh into my machine, it will be from
> a ip address of a hotels or other ISP network.
>
> Internternet             linksys                                              10.0.0.0/255.255.255.0
> -------------------| firewall with portt 22 forwarded | ----------------|linux server|------------
>
> For my home machine, I wish to block traffic from network which I see in my /var/log/secure file have attached my machine.
> ( By now I have a long list, I anybody wants it)
> But for certain well know address, like the 10.0.0.0/255.255.255.0 and the nameserver addresses, I just wish to accept those
> There seens to be a never ending stream of break in attempts.
>
> in sshd, I have all  dened all uses  except a 2 users with Complex names and passwords.
>
> so allow the internal local network.
> allow the nameservers.
> deny attacking networks.
>


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N ALLOW
iptables -A ALLOW -s <internal network> -j ACCEPT
iptables -A ALLOW -d <internal network> -j ACCEPT
iptables -A ALLOW -s <dns> --sport 53 -j ACCEPT
iptables -A ALLOW -d <dns> --dport 53 -j ACCEPT
iptables -A INPUT -j ALLOW
iptables -A INPUT -j LOG --log-prefix "FW DROP >" --log-ip-options
--log-tcp-options

Repeat the last two rules for the OUTPUT and FORWARD chains as well.

The last (log) rule is only if you want a record of whats going on.

***ANY*** traffic not explicitly added to the ALLOW user-defined chain
will get dropped.





--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux