You need kernel 2.4 or 2.6 with netfilter and state matching enabled (default on all distros known to me). Allowed incoming ssh is for sysadmins a _must_. Also ping helps to diag problem. If you need more complex firewall, try to think about blocking also outgoing connection. Also for servers and routers this script is not sufficient.
cat /etc/rc.d/rc.firewall
#!/bin/sh
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# enable incoming ssh and echo requests (ping)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
No comments:
Post a Comment