# /etc/sysconfig/iptables # # IPTABLES sample config file for workstation # # Make sure you fix the appropriate sections below, and add # duplicate entries as necessary (with different IPADDR's of course) # created by Bryan Cardillo # modified by Daniel Widyono # default policy - deny # # allow unrestricted icmp (should be tightened) # allow in/out dns to name servers # allow in/out ntp to ntp servers # allow unrestricted ssh out # allow ssh in from designated hosts # allow unrestricted in/out from internal interfaces # allow amanda server to contact and backup local filesystems # allow http, https access out # allow lpr client out # allow ftp client out *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # LOGGING / DEBUGGING -N accept-n-log -A accept-n-log -j LOG --log-level 4 --log-prefix "accept-n-log:" -A accept-n-log -j ACCEPT -N drop-n-log -A drop-n-log -j LOG --log-level 4 --log-prefix "drop-n-log:" -A drop-n-log -j DROP # internal interfaces -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # all outgoing -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT # icmp -A INPUT -p icmp -j ACCEPT # ssh client -A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # http client -A INPUT -p tcp -m tcp --sport http --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport https --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state --state ESTABLISHED -j ACCEPT # lpr client -A INPUT -p tcp -m tcp --sport printer -m state --state ESTABLISHED -j ACCEPT # ftp client (active and passive) -A INPUT -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # IMAP+SSL -A INPUT -p tcp -m tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT # auth service (identd), for tcp_wrapper'ed services which insist on checking # Note: it might be possible to just have -A INPUT -j DENY instead, haven't # tried that yet -A INPUT -p tcp -m tcp --dport auth -m state --state NEW,ESTABLISHED -j ACCEPT # Outbound SMTP / e-mail -A INPUT -p tcp -m tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT # ntp client # These entries need to match /etc/ntp.conf server entries (see also # the restrict entries in ntp.conf if you are restricting all by default) -A INPUT -s -p udp -m udp --sport 123 -j ACCEPT # dns client # These entries need to match /etc/resolv.conf nameserver entries (if you # use DHCP, you'll need to modify /etc/init.d/iptables to dynamically create # these entries, or else open port 53 to a range of IP addresses) -A INPUT -s -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT # amanda client (Yuck! This should be cleaned up and debugged some more) -A INPUT -s -p udp -m udp --dport amanda -j ACCEPT -A INPUT -s -p tcp -m tcp --dport 1024: -j ACCEPT # debug any straggling issues -A INPUT -s -j accept-n-log -A OUTPUT -d -p udp -j accept-n-log # rsync client (not typically needed, but just another simple example) # -A INPUT -p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT # ssh server (one entry for each allowable client/subnet) -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG --log-prefix "iptables(ssh connection): " -A INPUT -s -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # http server (Obviously commented out by default) # -A INPUT -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport 1024: --dport https -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport 1024: --dport webcache -m state --state NEW,ESTABLISHED -j ACCEPT # smtp server (Obviously commented out by default) # -A INPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport auth -m state --state ESTABLISHED -j ACCEPT # debugging (or to help add new services / clients) # -A INPUT -m state --state ESTABLISHED,RELATED -j accept-n-log # -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j accept-n-log # debugging (or to find stray virii / rider programs) # -A OUTPUT -p tcp -j drop-n-log # always necessary for iptables-restore COMMIT