You are not logged in.
- Topics: Active | Unanswered
#1 2006-09-07 14:55:45
- ezzetabi
- Member
- Registered: 2006-08-27
- Posts: 947
Easy and working firewall.
Someone may find this one useful, it is a little script that configure the iptables with easy.
No need of fancy GUIs and dead easy.
A nice simple script.
chown it root:root
chmod it 744
Edit, run the script, repeat when needed.
#!/bin/sh
# firewall.sh
if [ "`/usr/bin/id -u`" != 0 ]
then
echo "`basename $0`": you need to be root to do that.
exit 1
fi
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --flush # Flush all rules, but keep policies
iptables --delete-chain
### Basic firewall rules ###
iptables --policy FORWARD DROP
iptables --policy INPUT DROP
iptables --append INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables --append INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
### icmp services ###
#iptables --append INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-reply -j ACCEPT
### Open ports ###
#Bittorrent, ten downloads at time
#iptables --append INPUT -p tcp --dport 6881:6890 -j ACCEPT
#aDonkey nerwork
#iptables --append INPUT -p tcp --dport 4662 -j ACCEPT
#iptables --append INPUT -p udp --dport 4672 -j ACCEPT
#http server
#iptables --append INPUT -p tcp --dport 80 -j ACCEPT
#https server
#iptables --append INPUT -p tcp --dport https -j ACCEPT
### Limits the logging to 40 entries per minute ###
iptables --append INPUT -j LOG -m limit --limit 40/minute
### Everything other is dropped ###
iptables --append INPUT -j DROP
echo "`basename $0`": Done.Using iptables you have a simple working firewall.
If you like this one, I am happy. If you have advices I am even more happy. If you dislike it, as the wiki says even if everyone hate it but you, you made something...
It is not a 100% work of mine, I altered a script I found time ago. Whoever it was the original author I thanks him.
Offline
#2 2006-09-07 23:12:45
- chrismortimore
- Member
- From: Edinburgh, UK
- Registered: 2006-07-15
- Posts: 655
Re: Easy and working firewall.
Out of curiousity, can you explain the second last iptables line? As in "iptables --append INPUT -j LOG -m limit --limit 40/minute". I assume it does some kind of logging, but I don't quite get what (I've never really used iptables myself, so sorry if it's a stupid question).
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB Maxtor DiamondMax 10, 2x320GB WD Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB IBM TravelStar, Nvidia 5200Go 64MB
Offline
#3 2006-09-08 11:02:34
- ezzetabi
- Member
- Registered: 2006-08-27
- Posts: 947
Re: Easy and working firewall.
Fixed.
Offline
#4 2006-09-08 15:48:54
- chrismortimore
- Member
- From: Edinburgh, UK
- Registered: 2006-07-15
- Posts: 655
Re: Easy and working firewall.
Cheerios 
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB Maxtor DiamondMax 10, 2x320GB WD Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB IBM TravelStar, Nvidia 5200Go 64MB
Offline
#5 2006-09-10 08:01:20
- ezzetabi
- Member
- Registered: 2006-08-27
- Posts: 947
Re: Easy and working firewall.
It is quite shameful since I posted this thread, but I need help...
ATM I have to recall this script everytime after connecting, or the iptables I made are lost.
Do someone know of pppoe-start work? I tried reading it, but I do not understand how it sets the iptables.
After a cold reboot, I noticed iptables-save displays nothing, after pppoe-start iptables-save shows the masquerade default settings. How can I asking pppoe-start to use my firewall rules?
thanks.
Offline