[WBEL-users] Iptables
Andy
industrial_soup@dynacomp.net
Thu, 22 Jul 2004 02:00:47 -0400
fwbuilder ( http://www.fwbuilder.org/ ) is a really nice gui tool that
allows you to set up iptables rules. It will generate a script for you
that you can just copy and run on the server.
It comes with very helpful wizards that will generate basic rules for
you, check it out!
Andy
Ganeshram Iyer wrote:
> Hello all,
> I am a newbie to Linux and am trying to configure my firewall to a
> decent level. I used the script generator at
> http://www.lowth.com/LinWiz/1.09 to generate my iptables scripts. But
> I am still in the dark as to what I need to do with this script? Do I
> just need to copy it to some directory or do I need to execute is as a
> shell script? I dont know if this is the right place to ask this
> question but my searches have not yielded any results.
>
> Thanks a bunch in advance.
> Ganesh
>
> ====================================================================================
>
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :ADDRESS-FILTER - [0:0]
> :LINWIZ-INPUT - [0:0]
> :REJECT-PKT - [0:0]
> :SYN-FLOOD - [0:0]
>
> -A INPUT -j LINWIZ-INPUT
>
> ######################################################################
> # Allow all loopback interface traffic
>
> -A LINWIZ-INPUT -i lo -j ACCEPT
>
> # Block all attempts to spoof the loopback address
>
> -A LINWIZ-INPUT -s 127.0.0.0/8 -j LOG --log-prefix "SPOOFED-LOOPBACK: "
> -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
> -A LINWIZ-INPUT -d 127.0.0.0/8 -j LOG --log-prefix "SPOOFED-LOOPBACK: "
> -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP
>
> # Block all attempts to spoof the local IP address
>
> -A LINWIZ-INPUT -s 192.168.0.107 -j LOG --log-prefix "SPOOFED-IP: "
> -A LINWIZ-INPUT -s 192.168.0.107 -j DROP
>
> # Block Syn Flood attacks
>
> -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD
>
> # Ensure that TCP connections start with syn packets
>
> -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "SYN-EXPECTED: "
> -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
>
> # Allow session continuation traffic
>
> -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Call the IP and MAC address filtering chain
>
> -A LINWIZ-INPUT -j ADDRESS-FILTER
>
> # Allow ICMP ping requests from allowed hosts
>
> -A LINWIZ-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
>
> # Allow selected TCP/IP and/or UDP services
>
> -A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 139 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 515 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 901 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 1512 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 6000 -j ACCEPT
> -A LINWIZ-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
> -A LINWIZ-INPUT -p udp -m udp --dport 137:138 -j ACCEPT
> -A LINWIZ-INPUT -p udp -m udp --dport 177 -j ACCEPT
> -A LINWIZ-INPUT -p udp -m udp --dport 1512 -j ACCEPT
> -A LINWIZ-INPUT -p udp -m udp --sport 137:138 -j ACCEPT
>
> # Block all other TCP/IP and UDP traffic
>
> -A LINWIZ-INPUT -j REJECT-PKT
>
> ######################################################################
> # Syn flood filtering chain
>
> -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
> -A SYN-FLOOD -j LOG --log-prefix "SYN-FLOOD: "
> -A SYN-FLOOD -j DROP
>
> ######################################################################
> # Chain used to reject all TCP/IP, UDP and ICMP/PING packets
>
> -A REJECT-PKT -p udp -m udp --sport 137:138 --dport 137:138 -j DROP
> -A REJECT-PKT -p tcp -m tcp -j LOG
> -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
> -A REJECT-PKT -p udp -m udp -j LOG
> -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
> -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j LOG
> -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with
> icmp-host-unreachable
>
> ######################################################################
> # IP and MAC address filtering chain
>
> -A ADDRESS-FILTER -s 192.168.0.100/20 -j RETURN
> -A ADDRESS-FILTER -j REJECT-PKT
> ==============================================================================================================
>
>
> COMMIT
>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>
>