Needed is rules for ssh, vnc Al other ports are closed for the outside world (ok some pinging would also be nice to have)…..
#!/bin/sh
IPTABLES=/sbin/iptables
#flush tables
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -F -t nat
#Default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#allow established connections
$IPTABLES -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m state –state ESTABLISHED,RELATED -j ACCEPT
#allow local connection
$IPTABLES -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#$IPTABLES -I INPUT -p tcp –dport 22 -j LOG –log-prefix “iptables ssh ” –log-level 7
$IPTABLES -A INPUT -p tcp –dport 22 -j ACCEPT #ssh
#$IPTABLES -I INPUT -p tcp –dport 5900:5901 -j LOG –log-prefix “iptables vnc ” –log-level 7
$IPTABLES -A INPUT -p tcp –dport 5900:5901 -j ACCEPT #vnc
$IPTABLES -A INPUT -p tcp –dport 5353 -j ACCEPT #vnc
#allow ping reply
#$IPTABLES -I INPUT -p icmp –icmp-type 8 -j LOG –log-prefix “iptables ping ” –log-level 7
$IPTABLES -A INPUT -p icmp –icmp-type 8 -j ACCEPT
$IPTABLES -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix “iptables dropped ” –log-level 7
copied this script in a file called firewall_custom
made it executable
copied it to /ect/init.d
ran sudo update-rc.d firewall_custom defaults
resulted in some warnings but created the start-stop scripts
(those warning about missing thing is becauso start / stop clause has been entered. in dutch we say ‘boeie’)
update-rc.d: warning: /etc/init.d/firewall_custom missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Adding system startup for /etc/init.d/firewall_custom …
/etc/rc0.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc1.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc6.d/K20firewall_custom -> ../init.d/firewall_custom
/etc/rc2.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc3.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc4.d/S20firewall_custom -> ../init.d/firewall_custom
/etc/rc5.d/S20firewall_custom -> ../init.d/firewall_custom
ok
that’s my firewall story.