[colug-432] iptables

Steve VanSlyck s.vanslyck at postpro.net
Wed May 13 20:43:52 EDT 2015 

OK its fixed.

I removed the -i ppp0 and the -0 ppp0 from the two rules they were in.

The script now reads as below Except for dropping (instead of rejecting)
I think I'm now doing what I'm supposed to

**read -p "Flush rules?"** ***iptables -P INPUT ACCEPT * *iptables -P
OUTPUT ACCEPT * *iptables –F *

*read -p "Accept connections to the loopback interface (localhost)?" *
*iptables -A INPUT -i lo -j ACCEPT *

*read -p "Accept connections from the loopback interface (localhost)?" *
*iptables -A OUTPUT -o lo -j ACCEPT *

*read -p "Allow outgoing connections?" * *iptables -A OUTPUT -j ACCEPT *

*read -p "Drop all pings?" * *iptables -A INPUT -p icmp --icmp-type
echo-request -j DROP *

*read -p "Accept requested inbound traffic?" * *iptables -A INPUT -m
state --state ESTABLISHED,RELATED -j ACCEPT *

*read -p "Accept new and established ssh from specified IP?" * *iptables
-A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state
NEW,ESTABLISHED -j ACCEPT *

*read -p "Allow established ssh to specified IP?" * *iptables -A
OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state
ESTABLISHED -j ACCEPT *

*read -p "Drop all other ssh attempts?" * *iptables -A INPUT -p tcp
--dport ssh -j DROP *

*read -p "Allow outbound http traffic?" * *iptables -A OUTPUT -p tcp -m
tcp --dport 80 -j ACCEPT *

*read -p "Allow outbound https traffic?" * *iptables -A OUTPUT -p tcp -m
tcp --dport 443 -j ACCEPT *

*read -p "Allow inbound http traffic?" * *iptables -A INPUT -p tcp -m
tcp --dport 80 -j ACCEPT *

*read -p "Allow inbound https traffic?" * *iptables -A INPUT -p tcp -m
tcp --dport 443 -j ACCEPT *

*read -p "Set policy: Drop forwarding connections?" * *iptables -P
FORWARD DROP *

*read -p "Set policy: Drop other incoming connections?" * *iptables -P
INPUT DROP *

*read -p "Set policy: Drop outgoing connections?" * *iptables -P
OUTPUT DROP *





>
> On Wed, May 13, 2015, at 16:20, Rick Hornsby wrote:
>>
>>
>> one other note - at least for testing purposes you might want to use
>> REJECT instead of DROP. When you use DROP the firewall does exactly
>> what the word implies - it silently drops the packets to the floor
>> and the application has no idea anything is wrong. It is forced to
>> time out waiting for a response that will never come. With REJECT
>> iptables sends an ICMP response immediately. That should help speed
>> up your development and troubleshooting greatly.
>>
>> http://ipset.netfilter.org/iptables.man.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150513/a56fc308/attachment.html

More information about the colug-432 mailing list