Example simple iptable ruleset: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Big Fat Warning: this is '''not''' a firewall, by an stretch! It is a super-simple set of iptables rules, which will permit all incoming connections, and all outgoing connections. It is useful as a baby-step towards developing a real iptables ruleset; it's also useful when used in conjunction with fail2ban (which will add host-specific blocking rules for you, based on authentication-failures). | |||
#! /bin/sh | #! /bin/sh | ||
# /etc/iptables.bak | # /etc/iptables.bak | ||
Line 9: | Line 11: | ||
$IPTABLES --delete-chain | $IPTABLES --delete-chain | ||
# set the defaults so that by-default incoming packets are explicitly allowed; | # set the defaults so that by-default incoming and outgoing packets are explicitly allowed; | ||
$IPTABLES -P INPUT ACCEPT | $IPTABLES -P INPUT ACCEPT | ||
$IPTABLES -P FORWARD DROP | $IPTABLES -P FORWARD DROP | ||
$IPTABLES -P OUTPUT ACCEPT | $IPTABLES -P OUTPUT ACCEPT | ||
Invoke and make these rules effective: | Invoke and make these rules effective: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''sh /etc/iptables.bak''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''sh /etc/iptables.bak''' | ||
Line 28: | Line 31: | ||
Chain OUTPUT (policy ACCEPT) | Chain OUTPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
REMEMBER! If you like the ruleset, and want it to be in-effect the next time you start iptables (ie after a reboot), then you '''must''': | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add iptables default''' | |||
<font color=lime>*</font> iptables added to runlevel default | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/iptables save''' | |||
<font color=lime>*</font> Saving iptables state ... |
Latest revision as of 18:35, 30 January 2008
Big Fat Warning: this is not a firewall, by an stretch! It is a super-simple set of iptables rules, which will permit all incoming connections, and all outgoing connections. It is useful as a baby-step towards developing a real iptables ruleset; it's also useful when used in conjunction with fail2ban (which will add host-specific blocking rules for you, based on authentication-failures).
#! /bin/sh # /etc/iptables.bak # Let's save typing & confusion with variables IPTABLES=/sbin/iptables # Flush active rules and custom tables $IPTABLES --flush $IPTABLES --delete-chain # set the defaults so that by-default incoming and outgoing packets are explicitly allowed; $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT
Invoke and make these rules effective:
hostname ~ # sh /etc/iptables.bak
Resulting active rules:
hostname ~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
REMEMBER! If you like the ruleset, and want it to be in-effect the next time you start iptables (ie after a reboot), then you must:
hostname ~ # rc-update add iptables default * iptables added to runlevel default hostname ~ # /etc/init.d/iptables save * Saving iptables state ...