Following this is the iptables rules that I have been using.
Notice the wonderful credit given to Derek for his help.
I like the fact that any traffic from tthe outside is dropped.
I have a need to allow ssh traffic in for file transfer.
Joe suggested that I use port 222 and RSA keys for
authentication to login.
What additions to this file will be needed to allow this
traffic on port 222.
Thanks in Advance
Larry :-)
# rc.firewall iptables to protect internal network
# by Derek Glidden at www.nks.net - July 2001
# by Larry Sanders, Feb 2002 - installed on gate.sanders
# note eth0 => internal and eth1 => external to cable
# turn forwarding off while vulnerable
echo "0" > /proc/sys/net/ipv4/ip_forward
#
/sbin/iptables -F # flush all rules
# rule to nat if from inside going out
/sbin/iptables -t nat -A POSTROUTING -o eth1 \
-s 192.168.49.0/24 -j MASQUERADE
# rule to allow session-related packets through
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# rule to accept if from inside with good ip
/sbin/iptables -A FORWARD -i eth0 -s 192.168.49.0/24 -o eth1 -j ACCEPT
# rule to log any not accepted
/sbin/iptables -A FORWARD -j LOG --log-prefix="FORWARD DROP:"
# rule to drop any not accepted
/sbin/iptables -A FORWARD -j DROP
#
# rule to allow session-related packets through
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# rule to allow local echo
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# rule to accept input from internal lan
/sbin/iptables -A INPUT -i eth0 -s 192.168.49.0/24 -j ACCEPT
# rule to explicitly log and drop all others
/sbin/iptables -A INPUT -j LOG --log-prefix="INPUT DROP:"
/sbin/iptables -A INPUT -j DROP
#
# turn on forwarding with wall constucted
echo "1" > /proc/sys/net/ipv4/ip_forward
echo iptables set for firewall in file rc.firewall
# end of firewall
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:46:22 EDT