Re: decrypting iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2008-11-30 at 11:49 -0500, Tom Horsley wrote:
> Any other less cryptic GUI options

I suppose that depends on what you mean by cryptic.  Is it the syntax of
the commands that you don't understand, or the functions that a rule
needs?

I used to set mine using a script, with a pile of iptables commands.
That made it easy to repeat (run the script again), easy to undo changes
(you can comment out things, and try variations), and much more flexible
than anybody's control GUI.  I'd run the script to change or apply the
settings.  It saved them in the place iptables loads its initial
settings, so the computer would always boot up with my configuration,
without me needing to modify anything.

Something like the following example (which dates back to when I used
dialup).  I always used the expanded, rather than abbreviated, commands;
it's easier to interpret.

#!/bin/bash

## Turn off IP forwarding while altering configuration:
## (Put it back on again, at end, if needed.)

echo 0 > /proc/sys/net/ipv4/ip_forward

## Flush any pre-existing rules:

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain

## Set default (policy) rules:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT


## Drop non-internet networking addresses on the internet connection:

iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.168.0.0/16
iptables --append INPUT --jump DROP --in-interface ppp+ --source 172.16.0.0/12
iptables --append INPUT --jump DROP --in-interface ppp+ --source 10.0.0.0/8
iptables --append INPUT --jump DROP --in-interface ppp+ --source 127.0.0.0/8
iptables --append INPUT --jump DROP --in-interface ppp+ --source 169.254.0.0/16
iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.0.2.0/24
iptables --append INPUT --jump DROP --in-interface ppp+ --source 204.152.64.0/23
iptables --append INPUT --jump DROP --in-interface ppp+ --source 224.0.0.0/3


## Accept some things:

iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port 80
iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port https

## Allow established and related outside commications to this system,
## and allow outside communications to the firewall, except for ICMP packets:
## (Could be tightened up, adding conditions about specific ports.)

iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol \! icmp --jump ACCEPT


## Prevent connections initiated from the outside world:
## (Can interfere with some services which connect back, later on, such as file transfers or webcams on IM programs.)

iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump DROP


## Allow all local communications to and from the firewall on ETH from the local network:

iptables --append INPUT --jump ACCEPT --protocol all --in-interface eth+ --source 192.168.0.0/16


## Internet connection sharing:
## Set up masquerading to allow internal machines access to outside network:
#iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE

## Turn on IP forwarding, only needed for above internet connection sharing rule:
#echo 1 > /proc/sys/net/ipv4/ip_forward


## Save iptables rules to the default iptables rules file (used at boot-up):
## (Red Hat's own /etc/init.d/iptables script looks here.)

iptables-save > /etc/sysconfig/iptables


-- 
[tim@localhost ~]$ uname -r
2.6.27.5-41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux