[Gllug] Simple iptables config
Tethys
sta296 at astradyne.co.uk
Fri Feb 10 18:00:06 UTC 2006
Richard Jones writes:
>Does anyone have a very simple iptables config for a standalone host
>they could share with me?
>
>All I really want to do is to allow connections to port 22/tcp, and
>deny anything else. (However I'd like not to break ICMP in the
>process).
In a sane world:
block in log
pass on lo0 inet
pass out proto icmp
pass out proto udp
pass out proto tcp keep state
pass in proto tcp from any to any port 22
However, this is Linux so instead you have to have something hideous like:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dst 255.255.255.255 -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG
You should really also be blocking incoming connections from RFC1918
addresses, and those with unexpected IP options, etc., but the above
should at least get you going.
Tet
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list