Subject: | |
From: | |
Reply To: | |
Date: | Wed, 20 Apr 2011 21:47:52 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Le 20/04/2011 02:26, Tom H a écrit :
> On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<[log in to unmask]> wrote:
>>
>> There is a sourceforge project called firestarter which has a rather
>> nice script that does lots of iptables config and provides a gui monitor
>> of firewall activity.
>
> You could also try APF:
> http://www.rfxn.com/projects/advanced-policy-firewall/
> (I've never used it so this isn't an experienced-based recommendation
> but I've installed it on a test box to check out its rules and they
> looked good.)
>
> Shorewall's also an option that you could consider. It's another blind
> recommendation though; I've never even seen its default rules...
Thanks very much for the numerous answers. I read through a pile of
documentation, and figured out the most simple solution was a
handcrafted iptables script from scratch. Here goes :
--8<-------------------------------
#!/bin/sh
##/root/bin/firewall-start
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
$IPT -A INPUT -j REJECT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
/sbin/service iptables save
/sbin/service iptables condrestart
--8<-------------------------------
Works like a charm so far. Logging (near the end of the script) tells me
whenever I'm locking myself out of something.
Cheers from South France,
Niki
--
Microlinux - Solutions informatiques 100% Linux et logiciels libres
7, place de l'église - 30730 Montpezat
Web : http://www.microlinux.fr
Mail : [log in to unmask]
Tél. : 04 66 63 10 32
|
|
|