Thread: iptables
View Single Post
  #3  
Old 25th June 2007, 03:56
tommytomato tommytomato is offline
Senior Member
 
Join Date: Aug 2006
Posts: 129
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
How do you start the iptables firewall? Did you install an iptables-based firewall package such as shorewall or Bastille, or did you make your own custom iptables firewall?
I made a custom one, well at lest i'm trying to

here it is

Code:
~# cat /etc/firewall.bash
#!/bin/bash

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 

# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

iptables -A INPUT -s 83.132.97.14 -j DROP
iptables -A INPUT -s 81.199.85.110 -j DROP
iptables -A INPUT -s 218.16.120.80 -j DROP 
iptables -A INPUT -s 210.59.228.94 -j DROP 
iptables -A INPUT -s 219.153.0.218 -j DROP 
iptables -A INPUT -s 63.93.95.121 -j DROP 
iptables -A INPUT -s 203.134.154.2 -j DROP 
iptables -A INPUT -s 67.52.65.10 -j DROP 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
iptables -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?

I still want to be able to send and recive from the out side thou:scratch: I hope that makes sence

TT
Reply With Quote