[WBEL-users] Iptables
Ganeshram Iyer
gri0941@exchange.uta.edu
Wed, 21 Jul 2004 09:17:01 -0500
Hello all,
I am a newbie to Linux and am trying to configure my firewall to a
decent level. I used the script generator at
http://www.lowth.com/LinWiz/1.09 to generate my iptables scripts. But I
am still in the dark as to what I need to do with this script? Do I just
need to copy it to some directory or do I need to execute is as a shell
script? I dont know if this is the right place to ask this question but
my searches have not yielded any results.
Thanks a bunch in advance.
Ganesh
====================================================================================
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ADDRESS-FILTER - [0:0]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]
-A INPUT -j LINWIZ-INPUT
######################################################################
# Allow all loopback interface traffic
-A LINWIZ-INPUT -i lo -j ACCEPT
# Block all attempts to spoof the loopback address
-A LINWIZ-INPUT -s 127.0.0.0/8 -j LOG --log-prefix "SPOOFED-LOOPBACK: "
-A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
-A LINWIZ-INPUT -d 127.0.0.0/8 -j LOG --log-prefix "SPOOFED-LOOPBACK: "
-A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP
# Block all attempts to spoof the local IP address
-A LINWIZ-INPUT -s 192.168.0.107 -j LOG --log-prefix "SPOOFED-IP: "
-A LINWIZ-INPUT -s 192.168.0.107 -j DROP
# Block Syn Flood attacks
-A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD
# Ensure that TCP connections start with syn packets
-A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-prefix "SYN-EXPECTED: "
-A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
# Allow session continuation traffic
-A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Call the IP and MAC address filtering chain
-A LINWIZ-INPUT -j ADDRESS-FILTER
# Allow ICMP ping requests from allowed hosts
-A LINWIZ-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
# Allow selected TCP/IP and/or UDP services
-A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 515 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 901 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 1512 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 6000 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A LINWIZ-INPUT -p udp -m udp --dport 137:138 -j ACCEPT
-A LINWIZ-INPUT -p udp -m udp --dport 177 -j ACCEPT
-A LINWIZ-INPUT -p udp -m udp --dport 1512 -j ACCEPT
-A LINWIZ-INPUT -p udp -m udp --sport 137:138 -j ACCEPT
# Block all other TCP/IP and UDP traffic
-A LINWIZ-INPUT -j REJECT-PKT
######################################################################
# Syn flood filtering chain
-A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
-A SYN-FLOOD -j LOG --log-prefix "SYN-FLOOD: "
-A SYN-FLOOD -j DROP
######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets
-A REJECT-PKT -p udp -m udp --sport 137:138 --dport 137:138 -j DROP
-A REJECT-PKT -p tcp -m tcp -j LOG
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j LOG
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j LOG
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable
######################################################################
# IP and MAC address filtering chain
-A ADDRESS-FILTER -s 192.168.0.100/20 -j RETURN
-A ADDRESS-FILTER -j REJECT-PKT
==============================================================================================================
COMMIT