Why wouldn't I do this with iptables

MAX screen resolution on FC2 Is 800x600 2989
Black Sun and said: "My truck is broken, so I will borrow a car to make sure my truck's engine is working correctly." ...Your sentence...

StupidScript

MAX screen resolution on FC2 Is 800x600 2988
Black Sun and said: Wrong; neither Knoppix nor 'Doze2K will help you with the problem you have right now. The stuff that Eric was referring to is all configured by the X config file,etc...

The way I do iptables is to turn everything off and then enable just what I want enabled. I am very fussy about what comes in; mostly nothing except SMPT (sendmail, which has its own ways of rejecting stuff). I do allow replies to stuff I sent out. My rules look like this (in part):

Why wouldn't I do this with iptables Approved: IGuessNot
You should block in INPUT all the ports except the ones you want to provide a service for (80 - http, 25...

########################################################################## # # # Clear the existing firewall rules # # # ########################################################################## # $IPT -P INPUT DROP # Set default policy to DROP $IPT -P OUTPUT DROP # Set default policy to DROP $IPT -P FORWARD DROP # Set default policy to DROP $IPT -F # Flush all chains $IPT -X # Delete all userchains # # for table in filter nat mangle; do $IPT -t $table -F # Delete the table's rules $IPT -t $table -X # Delete the table's chains $IPT -t $table -Z # Zero the table's counters done # # ########################################################################## # # Main Firewall Rules # # # ########################################################################## # # The explicit drops here (-j DROP, -j BADINPUT, and -j BADOUTPUT) # # should be unnecessary, but are included here just in case an error # # in the other chains lets something fall through. # # # $IPT -A FORWARD -j SHUN $IPT -A FORWARD -i $EXTDEV0 -j INNETWORK $IPT -A FORWARD -i $INTDEV0 -j OUTNETWORK $IPT -A FORWARD -i $INTDEV1 -j OUTNETWORK $IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT $IPT -A FORWARD -j DROP # # $IPT -A INPUT -j SHUN $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -j INIPCHECK $IPT -A INPUT -j INFIREWALL $IPT -A INPUT -j BADINPUT # # $IPT -A OUTPUT -j SHUN $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -j OUTIPCHECK $IPT -A OUTPUT -j OUTFIREWALL $IPT -A OUTPUT -j BADOUTPUT # ########################################################################## # # # INPUT TABLE CHAINS. # # # ########################################################################## # $IPT -N INFIREWALL $IPT -A INFIREWALL -p icmp -j INFICMP $IPT -A INFIREWALL -p tcp -j TCPFLAGS $IPT -A INFIREWALL -p tcp --syn -j SYNFLOOD $IPT -A INFIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INFIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

Then a lot of port-specific stuff. FIREWALL is the machine connected to the Internet; the other machines go through the FIREWALL machine for Internet access. The machine that runs Windows (XP-HOME) is really fussy: no input is allowed at all except for replies to the stuff sent out. And nothing can be sent out except to port 80 of Microsoft update sites, Intuit's update sites, and my credit card and stock broker sites.

-- .~. Jean-David Beyer Registered Linux User 85642. V PGP-Key: 9A2FC99A Registered Machine 241939. ^^-^^ 07:05:00 up 27 days, 15:20, 3 users, load average: 2.20, 2.23, 2.22

List | Previous | Next

Why wouldn't I do this with iptables Approved: IGuessNot

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

out of memory

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		Why wouldn't I do this with iptables MAX screen resolution on FC2 Is 800x600 2989 Black Sun and said: "My truck is broken, so I will borrow a car to make sure my truck's engine is working correctly." ...Your sentence... StupidScript MAX screen resolution on FC2 Is 800x600 2988 Black Sun and said: Wrong; neither Knoppix nor 'Doze2K will help you with the problem you have right now. The stuff that Eric was referring to is all configured by the X config file,etc... The way I do iptables is to turn everything off and then enable just what I want enabled. I am very fussy about what comes in; mostly nothing except SMPT (sendmail, which has its own ways of rejecting stuff). I do allow replies to stuff I sent out. My rules look like this (in part): Why wouldn't I do this with iptables Approved: IGuessNot You should block in INPUT all the ports except the ones you want to provide a service for (80 - http, 25... ########################################################################## # # # Clear the existing firewall rules # # # ########################################################################## # $IPT -P INPUT DROP # Set default policy to DROP $IPT -P OUTPUT DROP # Set default policy to DROP $IPT -P FORWARD DROP # Set default policy to DROP $IPT -F # Flush all chains $IPT -X # Delete all userchains # # for table in filter nat mangle; do $IPT -t $table -F # Delete the table's rules $IPT -t $table -X # Delete the table's chains $IPT -t $table -Z # Zero the table's counters done # # ########################################################################## # # Main Firewall Rules # # # ########################################################################## # # The explicit drops here (-j DROP, -j BADINPUT, and -j BADOUTPUT) # # should be unnecessary, but are included here just in case an error # # in the other chains lets something fall through. # # # $IPT -A FORWARD -j SHUN $IPT -A FORWARD -i $EXTDEV0 -j INNETWORK $IPT -A FORWARD -i $INTDEV0 -j OUTNETWORK $IPT -A FORWARD -i $INTDEV1 -j OUTNETWORK $IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT $IPT -A FORWARD -j DROP # # $IPT -A INPUT -j SHUN $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -j INIPCHECK $IPT -A INPUT -j INFIREWALL $IPT -A INPUT -j BADINPUT # # $IPT -A OUTPUT -j SHUN $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -j OUTIPCHECK $IPT -A OUTPUT -j OUTFIREWALL $IPT -A OUTPUT -j BADOUTPUT # ########################################################################## # # # INPUT TABLE CHAINS. # # # ########################################################################## # $IPT -N INFIREWALL $IPT -A INFIREWALL -p icmp -j INFICMP $IPT -A INFIREWALL -p tcp -j TCPFLAGS $IPT -A INFIREWALL -p tcp --syn -j SYNFLOOD $IPT -A INFIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INFIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT Then a lot of port-specific stuff. FIREWALL is the machine connected to the Internet; the other machines go through the FIREWALL machine for Internet access. The machine that runs Windows (XP-HOME) is really fussy: no input is allowed at all except for replies to the stuff sent out. And nothing can be sent out except to port 80 of Microsoft update sites, Intuit's update sites, and my credit card and stock broker sites. -- .~. Jean-David Beyer Registered Linux User 85642. V PGP-Key: 9A2FC99A Registered Machine 241939. ^^-^^ 07:05:00 up 27 days, 15:20, 3 users, load average: 2.20, 2.23, 2.22 List \| Previous \| Next



		Why wouldn't I do this with iptables Approved: IGuessNot Linux groups from Newsgroups The #1 Usenet Provider on the Internet out of memory