Drop everything first, then grant access to needed ports
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT # open ftp server ports tcp/udp
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # open ssh server port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT # open http server port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP - Drop all other connection attempts
You can easily make this configuation into a script #!/bin/sh or perl, whatever suits your needs
best. If you run Red Hat => 2.6 you should be able to append all your iptables setting to /etc/syconfig/iptables by issuing the command # service iptables save
A simple perl script would also to the job, if you're not sure you want the iptables from /etc/sysconfig to be loaded from start.
This is a script I could use if I was running a few services on my workstation or server.
#!/usr/bin/perl -w
#
$ipt="/sbin/iptables";
system("$ipt -F"); # flush all rules
system("$ipt -A INPUT -i lo -p all -j ACCEPT"); # allow loopback access
system("$ipt -A OUTPUT -o lo -p all -j ACCEPT"); #
system("$ipt -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT");system("$ipt -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset");
system("$ipt -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT");
system("$ipt -A INPUT -p udp -i eth0 --dport 80 -j LOG");
system("$ipt -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT");
system("$ipt -P INPUT DROP");
That's all for tonight!
May your firewalls be with you, and your IDS:es run in proactive mode.
ALX
skip to main |
skip to sidebar
Server client security blog Unix Linux Windows Mac OS. Protect, Security LSM, No Exec, Shield, Wrapper, chroot, grsecurity, apparmor, selinux, enhanced, users, permissions, oracle, mysql, apache, httpd, proxy, firewall, management, enterprise,logs, parse, trust, ssl, tls, sap, tns, jboss, java, weblogic, 10, sp, intrusion, detection, prevention, cisco, netgear, router, switch, pax, buffer, overflow, format string, XSS, cross-site,spoofed, RFID, encryption cryptography, gpg, pgp
