Note, that this recipe is not updated long time and could be outdated!
Got it.

Iptables piemērs serverim

Šis ir iptables konfigurācijas skripta piemērs serverim, kuram ir vairāki servisi, kas klausās uz vairākiem portiem.
#!/bin/sh
# Disable forwarding (as there is only one interface)
echo 0 >/proc/sys/net/ipv4/ip_forward

# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter

# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter

# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable.  These rules apply if a more specific rule below
# is not applicable.  Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

##########
# Allow  #
##########
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT

# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i lo -j ACCEPT

# Accept all tcp SYN packets for necessary protocols:
# Enable SSH on port 22 from anywhere
iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT

# FTP server, see /etc/proftpd.conf
iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT

# HTTP:
iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT

# Finally, DROP all connection requests not yet provided
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p tcp --syn -j DROP

#### the end

 

Created by Valdis Vītoliņš on 2008-08-09 13:36
Last modified by Valdis Vītoliņš on 2013-09-09 13:48
 
Xwiki Powered
Creative Commons Attribution 3.0 Unported License