Download file [1]

# /etc/sysconfig/iptables
#
# IPTABLES sample config file for workstation
#
# Make sure you fix the appropriate sections below, and add
# duplicate entries as necessary (with different IPADDR's of course)

# created by Bryan Cardillo
# modified by Daniel Widyono

# default policy - deny [1]
#
# allow [1] unrestricted icmp (should be tightened)
# allow [1] in/out dns to name servers
# allow [1] in/out ntp to ntp servers
# allow [1] unrestricted ssh out
# allow [1] ssh in from designated hosts
# allow [1] unrestricted in/out from internal interfaces
# allow [1] amanda server to contact and backup local filesystems
# allow [1] http, https access out
# allow [1] lpr client out
# allow [1] ftp client out

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# LOGGING / DEBUGGING

-N accept-n-log [1]
-A accept-n-log [1] -j LOG [1] --log [1]-level 4 --log [1]-prefix "accept-n-log [1]:"
-A accept-n-log [1] -j ACCEPT
-N drop-n-log [1]
-A drop-n-log [1] -j LOG [1] --log [1]-level 4 --log [1]-prefix "drop-n-log [1]:"
-A drop-n-log [1] -j DROP

# internal interfaces

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# all outgoing

-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT

# icmp

-A INPUT -p icmp -j ACCEPT

# ssh client

-A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# http client

-A INPUT -p tcp -m tcp --sport http --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport https --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# lpr client

-A INPUT -p tcp -m tcp --sport printer -m state --state ESTABLISHED -j ACCEPT

# ftp client (active and passive)

-A INPUT -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# IMAP+SSL [1]

-A INPUT -p tcp -m tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT

# auth service (identd), for tcp_wrapper'ed services which insist on checking
# Note: it might be possible to just have -A INPUT -j DENY [1] instead, haven't
# tried that yet

-A INPUT -p tcp -m tcp --dport auth -m state --state NEW,ESTABLISHED -j ACCEPT

# Outbound SMTP / e-mail

-A INPUT -p tcp -m tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT

# ntp client
# These entries need to match /etc/ntp.conf server entries (see also
# the restrict entries in ntp.conf if you are restricting all by default)

-A INPUT -s -p udp -m udp --sport 123 -j ACCEPT

# dns client
# These entries need to match /etc/resolv.conf nameserver entries (if you
# use DHCP, you'll need to modify /etc/init.d/iptables to dynamically create
# these entries, or else open port [1] 53 to a range of IP addresses)

-A INPUT -s -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# amanda client (Yuck! This should be cleaned up and debugged some more)

-A INPUT -s -p udp -m udp --dport amanda -j ACCEPT
-A INPUT -s -p tcp -m tcp --dport 1024: -j ACCEPT
# debug [1] any straggling issues
-A INPUT -s -j accept-n-log [1]
-A OUTPUT -d -p udp -j accept-n-log [1]

# rsync client (not typically needed, but just another simple example)

# -A INPUT -p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# ssh server (one entry for each allowable client/subnet)

-A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG [1] --log [1]-prefix "iptables(ssh connection): "
-A INPUT -s -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# http server (Obviously commented out by default)

# -A INPUT -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport 1024: --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport 1024: --dport webcache -m state --state NEW,ESTABLISHED -j ACCEPT

# smtp server (Obviously commented out by default)

# -A INPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p tcp -m tcp --sport auth -m state --state ESTABLISHED -j ACCEPT

# debugging (or to help add new services / clients)

# -A INPUT -m state --state ESTABLISHED,RELATED -j accept-n-log [1]
# -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j accept-n-log [1]

# debugging (or to find stray virii / rider programs)

# -A OUTPUT -p tcp -j drop-n-log [1]

# always necessary for iptables-restore

COMMIT

Vote Result

Score: 8.0, Votes: 1

Bookmark/Search this post with:

[2] | [3] | [4] | [5] | [6] | [7] | [8]