[KLUG Members] iptables
Buxton, Peter-Cons B [Non-Employee/0200]
members@kalamazoolinux.org
Fri, 21 Feb 2003 14:57:30 -0500
This is an odd way to do it
# Generated by iptables-save v1.2.6a on Fri Feb 21 13:08:49 2003
*filter
:INPUT ACCEPT [966:172775]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4949:814105]
:RH-Lokkit-0-50-INPUT - [0:0]
These are tables. INPUT, FORWARD and OUTPUT are all built-in tables.
RH-Lokkit-0-50-INPUT is a user-created one.
They're all set to default ACCEPT??? :-P
-j [ACCEPT, DROP, QUEUE, RETURN] are all targets. Tables can be targets. I
haven't used QUEUE. RETURN means to continue from the last -j branch. REJECT
is a new, experimental target.
sample rule: -A [from target] rules rules rules -j [to target]
-A INPUT -j RH-Lokkit-0-50-INPUT
All INPUT goes to RH-L.
-A RH-Lokkit-0-50-INPUT -s 192.168.40.0/255.255.255.0 -p tcp -m tcp
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
Accept all incoming (AAI) new TCP connections from 192.168.40.* with, of
the SYN, RST and ACK flags, only SYN set.
-A RH-Lokkit-0-50-INPUT -s 192.168.40.0/255.255.255.0 -j ACCEPT
AAI everything from 192.168.40.*.
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
AAI new TCP traffic to port 80 (www).
What about --state? Where is the ESTABLISHED rule? Or RELATED?
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 15353 -j ACCEPT
AAI UDP traffic on port 15353. (???)
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
AAI new SSH traffic.
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68
--dport 67:68 -j ACCEPT
On interface eth0, allow all UDP between ports 67-8. BOOTP/DHCP? Hmm, who
do you want to take DHCP from?
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68
--dport 67:68 -j ACCEPT
Ditto for eth1.
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
Accept all loopback traffic.
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --tcp-flags
SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
Reject all NEW incoming TCP traffic for ports 0-1023 that hasn't matched a
previous -j ACCEPT above with an ICMP port-unreachable error.
Why?
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --tcp-flags
SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
Again, port 2049.
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
--reject-with icmp-port-unreachable
REJECT all previously unallowed UDP traffic, ports 0-1023.
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
--reject-with icmp-port-unreachable
Yadda.
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --tcp-flags
SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
Kill X windows over TCP/IP.
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --tcp-flags
SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
Kill X Font servers.
COMMIT
--
Peter Buxton
OpenVMS Support
0200-259-089