Re: [SLUG] iptables

From: Paul M Foster (paulf@quillandmouse.com)
Date: Tue May 03 2005 - 16:59:15 EDT

Next message: ronan: "Re: [SLUG] iptables"
Previous message: Doug Koobs: "Re: [SLUG] iptables"
In reply to: Glenn Meyer: "[SLUG] iptables"
Next in thread: ronan: "Re: [SLUG] iptables"
Reply: ronan: "Re: [SLUG] iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, May 03, 2005 at 01:12:43PM -0500, Glenn Meyer wrote:

> I stumbling over syntax and need a little help please. This is not on a
> network firewall, but only to protect the local machine.
>
> #!/bin/bash
> # flush the filter table clean
> /usr/sbin/iptables -F
>
> # my local network here at the house is a 192.168.10.0/24 network, so I
> added a /sbin/iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT above the
> "block everything" lines below to accept everything from that range -
> but I want to instead open only port 22
>
> #This works and opens me to everything on my home network
> #/usr/sbin/iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
>
> I want to instead open just tcp port 22 for ssh but I'm stumbling over
> the --dport 22 part.
> /usr/sbin/iptables -A INPUT -s 192.168.10.0/24 --port 22 -j ACCEPT

I'm absolutely not an expert on this, but...

Don't know why you can't say:

iptables -A INPUT -s 192.168.10.0/24 --dport 22 -j ACCEPT

>
> # block everyting coming in to my machine, all interfaces
> # if you uncomment the #'s, it will log the blocks too
> #/usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -m state --state NEW -j LOG
> /usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -m state --state NEW -j DROP

You don't really need the -s and -d parameters above, since without
them, iptables will assume all sources and destinations.

The rest of this is superfluous. You could set a policy on the chain, as
indicated by someone else, or simply say:

iptables -A INPUT -j DROP

> #/usr/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG
> /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> #/usr/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG
> /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> #/usr/sbin/iptables -A INPUT -p icmp --icmp-type any -j LOG
> /usr/sbin/iptables -A INPUT -p icmp --icmp-type any -j DROP
>
>
> Thank you for your help!

You're welcome, if it helps. Otherwise, I was never here. ;-}

Paul
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

Next message: ronan: "Re: [SLUG] iptables"
Previous message: Doug Koobs: "Re: [SLUG] iptables"
In reply to: Glenn Meyer: "[SLUG] iptables"
Next in thread: ronan: "Re: [SLUG] iptables"
Reply: ronan: "Re: [SLUG] iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:36:28 EDT