[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Is it iptables enough?



Here is a skeleton firewall script for you to use.

Just call the following firewall script from boot.local,
using the full pathname to your firewall script, and exiting
with a valid code.

USE AND MODIFY AT YOUR OWN RISK!!!

#! /bin/bash

# file-id: /path/to/firewall/script/firewall #

# custom script to start iptables packet filter firewall rules #
# run from /etc/init.d/boot.local #

# ADSL-Modem version #

# last updated 02-FEB-2004 #

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "Running /path/to/firewall/script/firewall"
echo " - Initial status of firewall is:"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "NAT table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of NAT table
 iptables -t nat -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "MANGLE table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of MANGLE table
 iptables -t mangle -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "FILTER table initial status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list status of FILTER table
 iptables -t filter -L -v
#------------------------------------------------------#

#------------------------------------------------------#

# flush ALL rules in ALL tables
 iptables -t nat -F
 iptables -t mangle -F
 iptables -t filter -F

# clear packet & byte counters
 iptables -t nat -Z
 iptables -t mangle -Z
 iptables -t filter -Z

# delete ALL user-defined chains in ALL tables
 iptables -t nat -X
 iptables -t mangle -X
 iptables -t filter -X

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "Starting up my own custom firewall now!"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#******************************************************#
#                 NAT table rules                      #
#******************************************************#
# NOT USED

#******************************************************#
#                MANGLE table rules                    #
#******************************************************#
# NOT USED

#******************************************************#
#                FILTER table rules                    #
#******************************************************#

#------------------------------------------------------#
# set default policy for INPUT & FORWARD chains to DROP
 iptables -P INPUT DROP
 iptables -P FORWARD DROP

#------------------------------------------------------#
# LOG all packets coming through the INPUT chain - should disable this really
 iptables -A INPUT -j LOG --log-prefix 'FILTER-INPUT PKTS '

#------------------------------------------------------#
# LOG all packets going through the FORWARD chain - should disable this really
 iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS '

#------------------------------------------------------#
# LOG all packets going through the OUTPUT chain - should disable this really
 iptables -A OUTPUT -j LOG --log-prefix 'FILTER-OUTPUT PKTS '

#------------------------------------------------------#

# Put the rest of your firewall script here



#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "New status of firewall using my own custom rules is:"
echo "=======================================================================";
echo;
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "NAT table - new status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of NAT table
 iptables -t nat -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "MANGLE table - new status"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of MANGLE table
 iptables -t mangle -L -v
#------------------------------------------------------#

#------------------------------------------------------#
echo;
echo "=======================================================================";
echo "FILTER table - new rules"
echo "=======================================================================";
echo;
#------------------------------------------------------#

# list current status of FILTER table
 iptables -L -v
#------------------------------------------------------#

# exit with a valid code

 exit 0

#------------------------------------------------------#

# end of firewall #


On Thu, 5 Feb 2004, David Piniella wrote:

> To: suse-security@xxxxxxxx
> From: David Piniella <dpiniell@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: [suse-security] Is it iptables enough?
>
> To make sure that nothing is in there that isn't supposed to be and to
> bring it to a known clean state. It's often setup so that you run a
> script that flushes the firewall rules and then inserts the ruleset you
> want in there (as a bootscript in rc.d, usually).
> alternately, this approach also means that an emergency reboot will kill
> whatever the firewall rules were (if you suspect they were bad).
>
> --
> David


Kind Regards - Keith Roberts.




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here