[TriLUG] Iptables script...
Corey Mutter
mutterc at nc.rr.com
Wed Jan 8 15:56:40 EST 2003
> Here is an iptables script that I have written for my home cable
> gateway. My only question is: Is this a secure solution? I have added
> comments to help a few colleagues but would like a second opinion before
> I commit to this... (This is what I came up with after RTFMing for a
> few hours....)
>
> Any comments would be appreciated!
>
> TIA, Mike.
[snip script]
- You're correct that REJECT is not a valid policy. You can get the effect,
though, by just putting "-j REJECT" as the last rule in your chain.
Actually, to do a REJECT right, create a chain that does:
iptables -N dropandlog
iptables -A dropandlog -m limit -j LOG --log-prefix "Dropped a packet: "
iptables -A dropandlog -p tcp -j REJECT --reject-with tcp-reset
iptables -A dropandlog -p udp -j REJECT
iptables -A dropandlog -j DROP (this one covers ICMP etc.)
Then when you drop packets, just do a "-j dropandlog" then this will all get
invoked.
- I recommend starting out by logging any packets that you drop, so that you
can figure out what's breaking what :-) There will be some, though,
that you'll get so many of that you'll want to drop without logging
(identd requests from other systems, DHCP replies to others, etc.) To
do this, you will want to add explicit "-j dropandlog" to the end of
each of the three chains.
- The OUTPUT rules for connection-state tracking are probably not necessary,
assuming you want to allow this machine to connect to anywhere.
- If you want to allow machines on the internal network to freely connect
to services (other than ssh) on this box, then move the "allow all
from internal net" rule above the connection-state-tracking rules.
Corey
More information about the TriLUG
mailing list