PDA

Click to See Complete Forum and Search --> : Iptables...

Loki3
11-28-2002, 04:33 PM
I'm sure some of you have read my questions about my on going experiments with iptables. So I sat down and read the man file for iptables and added these rules so gnutella could go through the firewall. I just wanted to see if you guys think they're pretty solid.

_Loki


#/bin/bash
#iptables script

#Checks for root permissions
if [ "$USER" = "root" ]; then
echo ""
else
echo "Not cool, no root."
quit
fi

iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p tcp --destination-port 6346 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p udp --destination-port 6346 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i ppp0 -j DROP
iptables -L
neondog
12-01-2002, 06:35 PM
you might want to set the table policies at the beginning and on lines 3 and 4 i don't think you need to specify -t filter since the module is loaded with iptables automatically. Oh and don't forget the shabang at the beginning i.e. #!/bin/bash

Here is a copy of my script to look over and use if you like

#!/bin/bash

# mp-firewall-0.2.0
# designed for iptables v1.2.4
# written by Steve Cayona <neondog@hightec.com>
# permissions is giving to freely distribute this script and
# if it breaks you get to keep both pieces.

# --- change log ---
# version 0.2.0 changed all the inserts (-I) to appends (-A)..doah

# Setting the variables - adjust these accordingly

iptables=/sbin/iptables
ifconfig=/sbin/ifconfig
grep=/bin/grep
awk=/bin/awk
sed=/bin/sed
any=0.0.0.0/0

# uncomment and adjust the interface as needed
#iface=ppp0
iface=eth0

# getting the IP address automatically
ipaddr="`$ifconfig $iface | $grep 'inet addr' | $awk '{print $2}' | $sed -e 's/.*://'`"
echo -e
echo "The IP address is $ipaddr on interface $iface"
echo -e
echo "setting up the firewall . . ."
echo -e
# setting the default policies
$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -Z
$iptables -X

echo "Allowing the loopback and setting up the basics. . ."
$iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $any -j ACCEPT
$iptables -A INPUT -i lo -s $any -d $any -j ACCEPT
$iptables -A INPUT -i lo -s 127.0.0.1 -d $any -j ACCEPT
$iptables -A INPUT -i $iface -s $any -d $any -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o lo -s $any -d $any -j ACCEPT
$iptables -A OUTPUT -o $iface -s $any -d $any -j ACCEPT
echo -e

echo "Allowing ICMP packets . . ."
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p ICMP -j ACCEPT
echo -e

#echo "Allowing DNS . . ."
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p TCP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p UDP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allowing access to the web server
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p TCP --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allowing the Roger Wilco Base Station
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p TCP --dport 3782 -j ACCEPT
$iptables -A INPUT -i $iface -s $any -d $ipaddr -p UDP --dport 3783 -j ACCEPT
echo -e

echo "Done"