[Gllug] Firewall Setup Script

Mick Farmer mick at dcs.bbk.ac.uk
Mon Sep 29 21:48:35 UTC 2003 

Dear George,

I'm quite happy to share my attempts with you, as others
might comment on the falacies therein...  I've got a Red Hat
Linux box which hosts the web pages for the courses that I'm
teaching on, plus a few other interests.  I hope the
comments are self explanatory.  Additional comments in the
script are turned on/off as required for classes.

8<--------8<--------8<--------8<
# Original is now iptables-8.0 (mick, 20 Jan 2003)
# 0.0.0 Basic firewall - no forwarding, so I trust my 
#       output datagrams and place restrictions on incoming
#       datagrams (mick, 15 Oct 2002)
# 0.0.1 Allow telnet from 193.61.28.0/24, i.e. bbk (mick, 9 Dec 2002)
# 0.0.2 Allow ssh from 62.0.0.0/8, i.e. freeserve (mick, 21 Dec 2002)
# 0.0.3 Allow http from all (mick, 13 Mar 2003)
# 0.0.4 Allow ssh from 212.159.43.118, i.e. plan7 (mick, 7 April 2003)
#
# Default policies
#
*filter
:INPUT   DROP   [0,0]
:FORWARD DROP   [0,0]
:OUTPUT  ACCEPT	[0,0]

# Trust the loopback interface
#
-A INPUT -i lo -j ACCEPT

# Incoming established responses (such as ICMP, NFS, RPC, TCP)
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Incoming HTTP connections
#
-A INPUT -m tcp -p tcp --dport http --syn -j ACCEPT

# Incoming SSH connections from Freeserve and plan7.plus.com
#
#-A INPUT -s 62.0.0.0/8     -m tcp -p tcp --dport ssh --syn -j ACCEPT
-A INPUT -s 212.159.43.118 -m tcp -p tcp --dport ssh --syn -j ACCEPT

# Incoming telnet connections only from dcs
#
#-A INPUT -s 193.61.28.0/24 -m tcp -p tcp --dport telnet --syn -j ACCEPT
-A INPUT -s 193.61.29.0/24 -m tcp -p tcp --dport telnet --syn -j ACCEPT

# Log what we drop
#
-A INPUT -m icmp -p icmp -j LOG
-A INPUT -m tcp  -p tcp  -j LOG
-A INPUT -m udp  -p udp  -j LOG

COMMIT
8<--------8<--------8<--------8<

Any comments you, or others, might have will be gratefully
received.  Be aware that the logs might grow extremely
large!

Regards,

Mick               /"\                      
                   \ /                      
Linux Registered    X  ASCII Ribbon Campaign
User #287765       / \ Against HTML Mail

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list