On Fri, 2004-07-02 at 15:41, Jason Costomiris wrote: snip > # These flush any existing rules > iptables -F > iptables -F INPUT > iptables -F OUTPUT > iptables -F FORWARD > iptables -F -t mangle > iptables -F -t nat > iptables -X > > # These set an initial drop everything policy > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > # For connections already deemed OK > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Setup stuff you're allowing to talk directly to the firewall > # eg - ssh to firewall from 10.1.1.0/24: > iptables -A INPUT -p tcp -m state --state NEW -s 10.1.1.0/24 --dport 22 > -j ACCEPT > > # Setup stuff you're allowing to talk outbound from the firewall > # eg - ssh to anywhere > iptables -A OUTPUT -p tcp -m state --state NEW -d 0/0 --dport 22 -j > ACCEPT > > # Setup stuff you're forwarding outbound > # eg - internal net == 192.168.1.0/24, allow everything out > iptables -A FORWARD -p all -m state --state NEW -s 192.168.1.0/24 -j > ACCEPT > > # Setup stuff you're forwarding to a particular server > # eg - https to 192.168.1.50 > iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport > 443 -j ACCEPT snip I like how you set up your firewall. If I might suggest one thing I do is add rules S.A. iptables -I -s internal -d 0/0 -m state --state NEW -j LOG \ --log-level WARN --log-prefix "First out from " Then in syslog.conf add something like # Log general networking info *.notice /var/log/networking *.warn /var/log/firewall # Log cron stuff -- jludwig <wralphie@xxxxxxxxxxx>
