Simpel firewall by iptables

Posted by on

Needed is rules for ssh, vnc Al other ports are closed for the outside world (ok some pinging would also be nice to have)…..

#!/bin/sh
IPTABLES=/sbin/iptables
#flush tables
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -F -t nat

#Default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

#allow established connections
$IPTABLES -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m state –state ESTABLISHED,RELATED -j ACCEPT

#allow local connection
$IPTABLES -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#$IPTABLES -I INPUT -p tcp –dport 22 -j LOG –log-prefix “iptables ssh ” –log-level 7
$IPTABLES -A INPUT -p tcp –dport 22 -j ACCEPT #ssh
#$IPTABLES -I INPUT -p tcp –dport 5900:5901 -j  LOG –log-prefix “iptables vnc ” –log-level 7
$IPTABLES -A INPUT -p tcp –dport 5900:5901 -j ACCEPT #vnc
$IPTABLES -A INPUT -p tcp –dport 5353 -j ACCEPT #vnc
#allow ping reply
#$IPTABLES -I INPUT -p icmp –icmp-type 8 -j LOG  –log-prefix “iptables ping ” –log-level 7
$IPTABLES -A INPUT -p icmp –icmp-type 8 -j ACCEPT

$IPTABLES -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix “iptables dropped ” –log-level 7

copied this script in a file called firewall_custom

made it executable

copied it to /ect/init.d

ran sudo update-rc.d firewall_custom defaults

resulted in some warnings but created the start-stop scripts

(those warning about missing thing is becauso start / stop clause has been entered. in dutch we say ‘boeie’)

update-rc.d: warning: /etc/init.d/firewall_custom missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Adding system startup for /etc/init.d/firewall_custom …
/etc/rc0.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc1.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc6.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc2.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc3.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc4.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc5.d/S20firewall_custom -> ../init.d/firewall_custom

ok

that’s my firewall story.

Posted in /linux  ·