The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
iptables, NAT & Packet Filtering by DMDx862002-06-14 06:47:51
  Here are example iptables commands... by allegory 2002-06-14 07:48:48
This is nearly exactly what I use. I just dropped a few of the bizarre ones that I use for a VPN connection to a corporate network....

#enable forwarding
echo "1" >/proc/sys/net/ipv4/ip_forward

#flush old rules/chains
iptables -F
iptables -X

#set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

#accept ssh
/sbin/iptables -A INPUT -i eth1 -p tcp --dport ssh -j ACCEPT

#accept port 80
#/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

#accept Loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT

#accept everything on eth0
/sbin/iptables -A INPUT -i eth0 -j ACCEPT

#Allow all packets that are from an already existing connection.
#like your NAT and stuff you started on your end.
/sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#accept all packets coming in eth0 destined to go out eth1
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

#drop incoming connection requests. Since you've already enabled those you
#want to happen, this drops all others hard... they can't even ping you.
/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j DROP

#NAT.
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

touch /var/lock/subsys/iptables
[ Reply ]
    erm... by SD Maruko-kun2002-06-14 11:05:55
      thats what I get for writing comments in quickly.. (n/t) by allegory2002-06-14 11:30:25

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)