You are not logged in.

#1 2008-08-06 13:53:51

rs187
Member
From: Mars
Registered: 2008-08-06
Posts: 19

Wats the most secure script for iptables??

Hi..im new here..i was askin u  which o dis iptables's scripts dat i found look "more secure"??

#!/bin/bash
#
# Firewall personale by Benjamin (Mizar)
# Modifyed by Ptah 16 Dec 2006
#
#########################################################
# Di default DROP su INPUT e FORWARD, tutto il traffico 
# in uscita consentito
#########################################################
# ATTENZIONE alle righe 114, 115 e 180. In queste righe
# ho abilitato alcuni servizi (ftp, www, ssh) in modo
# che siano accessibili solo da rete interna. Se non
# usate questi servizi, non avete una rete interna
# o volete che siano raggiungibili ANCHE da esterno
# dovete modificare le regole o commentarle
#########################################################

#########################
# Definizione Variabili #
#########################
IPTABLES="/sbin/iptables"
IFLO="lo"
IFEXT="eth0"            # Da sostituire con la propria interfaccia: $IFEXT, eth1, ppp0, etc

case "$1" in
  start)
    ########################
    # Attivazione Firewall #
    ########################
        echo -n "Attivazione Firewall:    "

    #################################
    # Caricamento Moduli del Kernel #
    #################################
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    modprobe ipt_LOG
    modprobe ipt_MARK
    modprobe ipt_MASQUERADE
    modprobe ipt_REDIRECT
    modprobe ipt_REJECT
    modprobe ipt_TOS
    modprobe ipt_limit
    modprobe ipt_mac
    modprobe ipt_mark
    modprobe ipt_multiport
    modprobe ipt_state
    modprobe ipt_tos
    modprobe iptable_mangle
        #modprobe ipt_psd

    ############################
        # Reset delle impostazioni #
    ############################
        $IPTABLES -F
        $IPTABLES -F -t nat
        $IPTABLES -F -t mangle
        $IPTABLES -X
        $IPTABLES -X -t nat
        $IPTABLES -X -t mangle

    ################################
        # Impostazione Policy standard #
    ################################
        $IPTABLES -P INPUT   DROP
        $IPTABLES -P FORWARD DROP
        $IPTABLES -P OUTPUT  ACCEPT

    #################################
    # Abilitazione traffico interno #
    #################################
    $IPTABLES -A INPUT  -i $IFLO -j ACCEPT
    $IPTABLES -A OUTPUT -o $IFLO -j ACCEPT


    ############################
    # creo una catena per ICMP #
    ############################
    $IPTABLES -N icmp_in 

    ########################################################
    # se il pacchetto icmp non è un ping allora lo accetta #
    # altrimenti (6-7 riga) logga e droppa                 #
    ########################################################
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 3 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 5 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 11 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -p icmp -j LOG --log-prefix "ICMP drop:"
    $IPTABLES -A icmp_in -p icmp -j DROP

    #######################################
    # Istruisco iptable a usare la catena #
    # creata precedentemente              #
    #######################################
    $IPTABLES -A INPUT -i $IFEXT -p icmp -j icmp_in

    ###########################
    # creo una catena per TCP #
    # pacchetti pericolosi    #
    ###########################
    $IPTABLES -N bad_tcp

    ######################################
    # Regole di controllo PORTSCAN TCP   #
    # sono commentate perchè non         #
    # ho il modulo psd disponibile. Se   #
    # lo avete potete abilitarle. Sono   #
    # regole aggiuntive per gli attacchi #
    # di tipo PORTSCAN                   #
    ######################################
    #$IPTABLES -A bad_tcp -p tcp -m psd -j LOG --log-prefix "PORTSCAN TCP: "
    #$IPTABLES -A bad_tcp -p tcp -m psd -j REJECT --reject-with icmp-net-unreachable

    ###########################################
    # Regole di controllo su alcune porte TCP #
    # Servizi che voglio rendere disponibili  #
    # solo ai computer della rete interna     #
    ###########################################
        $IPTABLES -A bad_tcp -p tcp -m multiport --dports 80,21,22,10000 -i $IFEXT -m state -s ! 10.1.1.0/24 --state NEW -j REJECT --reject-with icmp-net-unreachable
        $IPTABLES -A bad_tcp -p tcp -m multiport --dports 445,3306 -i $IFEXT -m state -s ! 10.1.1.0/24 --state NEW -j REJECT --reject-with icmp-net-unreachable

    ####################################
    # Regole di controllo sui flag TCP #
    ####################################
    $IPTABLES -A bad_tcp -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "Nuova non syn:"
    $IPTABLES -A bad_tcp -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m state --state INVALID -j LOG --log-prefix "Invalida:"
    $IPTABLES -A bad_tcp -p tcp -m state --state INVALID -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "ScanPort NMAP-XMAS:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "ScanPort SYN/RST:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "ScanPort SYN/FIN:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 137:139 -m limit --limit 5/min -j LOG --log-prefix "Tentativo SMB:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 137:139 -m limit --limit 5/min -j LOG --log-prefix "Tentativo SMB:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 137:139 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 2049 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NFS:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 2049 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NFS:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 2049 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 2049 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 6000:6063 -m limit --limit 5/min -j LOG --log-prefix "Tentativo X:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 6000:6063 -m limit --limit 5/min -j LOG --log-prefix "Tentativo X:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 6000:6063 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 6000:6063 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 20034 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NetBus2:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 20034 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NetBus2:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 20034 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 20034 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 12345:12346 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NetBus:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 12345:12346 -m limit --limit 5/min -j LOG --log-prefix "Tentativo NetBus:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 12345:12346 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 12345:12346 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 27374 -m limit --limit 5/min -j LOG --log-prefix "Tentativo SubSeven:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 27374 -m limit --limit 5/min -j LOG --log-prefix "Tentativo SubSeven:"
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 27374 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 27374 -j REJECT --reject-with icmp-net-unreachable

    ########################################
    # Istruisco iptable a usare la catena  #
    # per il TCP maligno                   #
    ########################################
    $IPTABLES -A INPUT -i $IFEXT -p tcp -j bad_tcp

    ###########################
    # creo una catena per TCP #
    # pacchetti validi        #
    ###########################
    $IPTABLES -N ok_tcp

    #############################################################################
    # Abilitazione traffico in entrata solo se relativo a pacchetti in risposta #
    #############################################################################
        $IPTABLES -A ok_tcp -p tcp -m multiport --dports 80,21,22,10000 -i $IFEXT -m state -s 10.1.1.0/24 --state NEW -j ACCEPT
    $IPTABLES -A ok_tcp -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    $IPTABLES -A ok_tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A ok_tcp -i $IFEXT -p tcp -j LOG --log-prefix "ok_tcp drop:"
    $IPTABLES -A ok_tcp -p tcp -j REJECT --reject-with icmp-net-unreachable



    ##################################################
        # Abilitazione del traffico in entrata per aMule #
    ##################################################
        $IPTABLES -A INPUT -p tcp --dport 4662 -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport 4665 -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport 4672 -j ACCEPT


    ###########################
    # creo una catena per UDP #
    # pacchetti pericolosi    #
    ###########################
    $IPTABLES -N bad_udp

    ######################################
    # Regole di controllo PORTSCAN       #
    # sono commentate perchè non         #
    # ho il modulo psd disponibile. Se   #
    # lo avete potete abilitarle. Sono   #
    # regole aggiuntive per gli attacchi #
    # di tipo PORTSCAN                   #
    ######################################
    #$IPTABLES -A bad_udp -p udp -m psd -j LOG --log-prefix "PORTSCAN UDP: "
    #$IPTABLES -A bad_udp -p udp -m psd -j REJECT --reject-with icmp-net-unreachable

    ########################################
    # Istruisco iptable a usare la catena  #
    # per il UDP maligno                   #
    ########################################
    $IPTABLES -A INPUT -i $IFEXT -p udp -j bad_udp

    ###########################
    # creo una catena per UDP #
    # pacchetti validi        #
    ###########################
    $IPTABLES -N ok_udp

    #############################################################################
    # Abilitazione traffico in entrata solo se relativo a pacchetti in risposta #
    #############################################################################
    $IPTABLES -A ok_udp -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A ok_udp -i $IFEXT -p udp -j LOG --log-prefix "ok_udp drop:"
    $IPTABLES -A ok_udp -p udp -j REJECT --reject-with icmp-net-unreachable


    #####################################
    # Aggiungo le catene personalizzate #
    #####################################
    $IPTABLES -A INPUT -i $IFEXT -p tcp -j ok_tcp
    $IPTABLES -A INPUT -i $IFEXT -p udp -j ok_udp

    ################################
    # Regole finali di paranoia ;) #
    ################################
    $IPTABLES -A INPUT -i $IFEXT -j LOG --log-prefix "Default drop:"
    $IPTABLES -A INPUT -i $IFEXT -j DROP

        echo "ok"
    ;;

  stop)
    ###########################
        # Disattivazione Firewall #
    ###########################
        echo -n "Disattivazione Firewall: "

        $IPTABLES -F
        $IPTABLES -F -t nat
        $IPTABLES -F -t mangle
        $IPTABLES -X
        $IPTABLES -X -t nat
        $IPTABLES -X -t mangle

        $IPTABLES -P INPUT   ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P OUTPUT  ACCEPT

        echo "ok"
    ;;

  status)
    ##############################
        # Display stato del Firewall #
    ##############################
        echo -n "Regole attuali nel Firewall: "

        $IPTABLES -L
    ;;

  restart|reload)
        $0 stop
        $0 start
    ;;

  *)
    echo "Utilizzo: firewall {start|stop|restart|reload|status}" >&2
    exit 1
    ;;

esac

exit 0

OR

#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_laptop
# Author: Uwe Hermann <uwe@hermann-uwe.de>
# URL: http://www.hermann-uwe.de/files/fw_laptop
# License: GNU GPL (version 2, or any later version).
# $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
#------------------------------------------------------------------------------

# A firewall script intended to be used on workstations / laptops. It basically
# blocks all incoming traffic and only allows minimal outgoing traffic.
# It helps to mitigate certains attacks, misconfigurations of local daemons,
# misbehaving local users or applications, and can prevent untrusted
# applications from "phoning home", among other things.

# Note: This is work in progress! Any comments and suggestions are welcome!

# Thanks for comments and suggestions:
#   * Jean Christophe André <jean-christophe.andre@auf.org>
#   * Ryan Giobbi <rgiobbi@gmail.com>
#   * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Unprivileged ports.
PHIGH="1024:65535"

# Common SSH source ports.
PSSH="1000:1023"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc


#------------------------------------------------------------------------------
# Mitigate ARP spoofing/poisoning and similar attacks.
# For details see:
#   * http://en.wikipedia.org/wiki/ARP_spoofing
#   * http://www.grc.com/nat/arp.htm
#------------------------------------------------------------------------------

# Hardcode static ARP cache entries here (e.g. for the network gateway).
# $ARP -s IP-ADDRESS MAC-ADDRESS


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
#   * http://www.securityfocus.com/infocus/1711
#   * http://www.linuxgazette.com/issue77/lechnyr.html
#   * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
#   * /usr/src/linux/Documentation/filesystems/proc.txt
#   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: We turn this on and off to reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

# Drop everything by default.
# Note: The default policies are set _before_ flushing the chains, to prevent
# a short timespan between flushing the chains and setting policies where
# any traffic would be allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
# Packets will simply pass through these tables unchanged.
# TODO: What happens if the modules aren't loaded?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# TODO: Correct? Remove this?
# $IPTABLES -t raw -P PREROUTING ACCEPT
# $IPTABLES -t raw -P OUTPUT ACCEPT


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
  # Set the default policies (drop everything).
  $IP6TABLES -P INPUT DROP 2>/dev/null
  $IP6TABLES -P FORWARD DROP 2>/dev/null
  $IP6TABLES -P OUTPUT DROP 2>/dev/null

  # The mangle table can pass everything through unaltered (we don't use it).
  $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

  # Delete all rules.
  $IP6TABLES -F 2>/dev/null
  $IP6TABLES -t mangle -F 2>/dev/null

  # Delete all (non-builtin) user-defined chains.
  $IP6TABLES -X 2>/dev/null
  $IP6TABLES -t mangle -X 2>/dev/null

  # Zero all packet and byte counters.
  $IP6TABLES -Z 2>/dev/null
  $IP6TABLES -t mangle -Z 2>/dev/null
fi


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT

# A custom chain which only allows minimal (RELATED) ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP 
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG


#------------------------------------------------------------------------------
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
# For details see:
#   * http://tools.ietf.org/html/792
#   * http://tools.ietf.org/html/1122
#   * http://www.iana.org/assignments/icmp-parameters
#   * http://www.daemon.be/maarten/icmpfilter.html
#------------------------------------------------------------------------------

# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.

# TODO: This section needs a lot of testing!

# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG

# Allow all ESTABLISHED ICMP traffic.
# TODO: Tighten this some more?
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

# Allow some parts of the RELATED ICMP traffic, block the rest.
# TODO: FORWARD?
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Allow outgoing ICMP echo requests (ping), but only rate-limited.
# TODO: Really do rate limiting here?
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
# For details see:
#   * http://www.debian.org/doc/manuals/securing-debian-howto/
#   * ftp://ftp.isi.edu/in-notes/rfc1122.txt

# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
          --dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
          --dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
# Note: This may prevent you from performing certain scans. Also, see above
# comment about ICMP packets being erroneously marked as INVALID instead of
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# This is not needed, as we use policy DROP for FORWARD, and we disabled
# ip_forward anyways. However, if we would use NAT, INVALID packets would
# bypass our rules, so we block them explicitly here, just in case.
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
# TODO: Test.
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# Note: You could easily block valid traffic, e.g. if your ISP uses private
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
# For details see:
#   * ftp://ftp.iana.org/assignments/ipv4-address-space
#   * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing NTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT

# Allow outgoing requests to various proxies. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT

# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
          --sport 67:68 --dport 67:68 -j ACCEPT

# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# Allow outgoing Bacula (http://www.bacula.org) requests.
# Unencrypted (usually), use with care.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT

# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

# TODO: ICQ, ...


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow incoming DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow incoming HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow incoming HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow incoming POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow incoming POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow incoming SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow incoming SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow incoming FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT

# Allow incoming Bacula (http://www.bacula.org) requests.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT


#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------

# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG


#------------------------------------------------------------------------------
# Testing the firewall.
#------------------------------------------------------------------------------

# You should check/test that the firewall really works, using for example
# iptables -vnL, nmap, ping, telnet, ...


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

OR

#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_blockall
# Author: Uwe Hermann <uwe@hermann-uwe.de>
# URL: http://www.hermann-uwe.de/files/fw_blockall
# License: GNU GPL (version 2, or any later version).
# $Id: fw_blockall 223 2005-06-27 19:34:07Z uh1763 $
#------------------------------------------------------------------------------

# This is a firewall script which blocks ALL access from/to everyone (INPUT,
# OUTPUT and FORWARD). Not even traffic to/from localhost is allowed.
# All pings are disabled (normal and broadcast).

# Note: This is work in progress! Any comments and suggestions are welcome!


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging:
# IPTABLES="/sbin/iptables -v"

IPTABLES="/sbin/iptables"


#------------------------------------------------------------------------------
# Kernel configuration.
#
# For details see:
#   * http://www.linuxgazette.com/issue77/lechnyr.html
#   * /usr/src/linux/Documentation/filesystems/proc.txt
#   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: Turning this on and off should reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# IP spoofing protection (i.e. source address verification).
# TODO: Only effective if IP forwarding is turned on?
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Enable protection against SYN flood attacks.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all ICMP ECHO requests (i.e. disable PING).
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP ECHO requests to broadcast/multicast addresses only.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#------------------------------------------------------------------------------
# Drop / reject everything explicitly, just to be sure.
#------------------------------------------------------------------------------

# Use REJECT if you want to be nicer.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROP


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

Btw any1 no wuss the most secure script for iptables??

p.s. sorry for my english..its pretty bad rite now..

Last edited by rs187 (2008-08-06 13:54:39)

Offline

#2 2008-08-06 19:56:10

ssjlegendx
Member
Registered: 2008-01-01
Posts: 94
Website

Re: Wats the most secure script for iptables??

Of the second and third scripts, the latter could perhaps be deemed the "most secure"; however, it might block more than you want. If you really want to use one of those, then I'd suggest using the second script. Otherwise, I'd recommend that you take a look here. (I only slightly examined the first script.... I do not understand the language of the comments, and I'm no iptables whiz. tongue)

Also, note that you don't have to use an actual script to set up the rules; rather, you can save the rules you want to a file that will be read by iptables automatically (/etc/iptables/iptables.rules). Here's a modified version of mine:

# /etc/iptables/iptables.rules
# These rules (and the commented instructions) derived from:
# http://ubuntuforums.org/showthread.php?t=159661

*nat
:PREROUTING ACCEPT [163:50538]
:POSTROUTING ACCEPT [40:2451]
:OUTPUT ACCEPT [40:2451]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FIREWALL - [0:0]
:TRUSTED - [0:0]
-A INPUT -j FIREWALL
-A FORWARD -j DROP
-A FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FIREWALL -i lo -j ACCEPT
-A FIREWALL -j TRUSTED
-A FIREWALL -j DROP

# put your own exceptions here, like so (replacing <tcp/udp> with either "tcp" or
# "udp" -- minus the quotes -- and <port number> with the port you'd like to open):
# -A TRUSTED -p <tcp/udp> -m <tcp/udp> --dport <port number> -j ACCEPT

COMMIT

Of course, there are benefits to keeping the rules in a script. For instance, you could then easily set the default iptables rules, allow all traffic, etc. Plus, some firewall-related things (such as the various echo commands in the scripts you provided) cannot (to my knowledge) be done by iptables alone.

If you already have a script that sets up the rules you would like to use, you can save yourself the hassle of creating a rules file by following the directions outlined here.

Last edited by ssjlegendx (2008-08-06 20:17:00)


#!/vim/rocks

Offline

#3 2008-08-06 20:35:23

Sjoden
Member
From: WA
Registered: 2007-08-16
Posts: 380
Website

Re: Wats the most secure script for iptables??

Something like this is pretty good start.

-P INPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT 
-A INPUT -i ! lo -m state --state RELATED,ESTABLISHED -j ACCEPT

If you don't do anything fancy, and don't run any services do you need much more than that?

Last edited by Sjoden (2008-08-06 20:35:50)

Offline

#4 2008-08-06 21:18:19

ssjlegendx
Member
Registered: 2008-01-01
Posts: 94
Website

Re: Wats the most secure script for iptables??

Sjoden wrote:

Something like this is pretty good start.

-P INPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT 
-A INPUT -i ! lo -m state --state RELATED,ESTABLISHED -j ACCEPT

If you don't do anything fancy, and don't run any services do you need much more than that?

Indeed, it seems that that set of rules would work well. New rules (like that mentioned in the file I posted above) could be added to take care of any special services.

Perhaps I should revise the rules I'm using! smile


#!/vim/rocks

Offline

#5 2008-08-06 21:25:40

Sjoden
Member
From: WA
Registered: 2007-08-16
Posts: 380
Website

Re: Wats the most secure script for iptables??

Glad to here what I'm using should keep me pretty safe, but I don't want to take credit for what I didn't do. Here is a pretty good discussion about iptables and security

http://bbs.archlinux.org/viewtopic.php?id=50366

Offline

#6 2008-08-06 21:31:16

ssjlegendx
Member
Registered: 2008-01-01
Posts: 94
Website

Re: Wats the most secure script for iptables??

Sjoden wrote:

Glad to here what I'm using should keep me pretty safe, but I don't want to take credit for what I didn't do. Here is a pretty good discussion about iptables and security

http://bbs.archlinux.org/viewtopic.php?id=50366

Similarly, most of what I posted was reaped/derived from the Ubuntu Forums (here). smile


#!/vim/rocks

Offline

Board footer

Powered by FluxBB