On Sat, Apr 30, 2011 at 08:08:55PM +0100, Andrew Beverley wrote:
> On Sat, 2011-04-30 at 13:23 -0500, Mike Hendrie wrote:
> > Now to lock it down? I should just create rules to block ports?
>
> Well it depends how paranoid you are. You might just want to block
> new incoming connections to the local network:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -i $ext_IF -o $int_IF \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $int_IF -o $ext_IF -j ACCEPT
>
> You'd probably also want to drop all incoming connections to the
> server apart from your web server:
>
> iptables -A INPUT -p tcp --dport 80 -i $ext_IF -j ACCEPT
> iptables -A INPUT -i $ext_IF -j DROP
>
> As Rob says though, you're probably best going through a few basic
> tutorials first - you'll be up to speed in no time. Also check out
> iptables-save and iptables-restore.
>
> Let's hope I haven't made any more mistakes that Rob is going to
> spot :)
Hehe ... well ... I would suggest that you look at the enhanced
feature set of -m conntrack --ctstate vs. -m state --state. That's
not a mistake, though; that is preference. :)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
