nfs client and iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Louis Garcia <louisg00@bellsouth.net>
To: nfs@lists.sourceforge.net
Subject: nfs client and iptables
Date: 17 May 2002 19:54:56 -0400	[thread overview]
Message-ID: <1021679697.5635.12.camel@tiger> (raw)
In-Reply-To: <1021587354.1123.29.camel@tiger>

I'm just trying to teach myself how to configure a filewall using
iptables. This is my current script:

## Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT

## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

## FRAGMENTS
# Log fragments just to see if we get any, and deny them too.
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP

## SPOOFING
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i eth0 -s 192.168.1.4/27 -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
# Refuse packets claiming to be from a Class C private network.
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source
# address.
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i eth0 -s  240.0.0.0/4 -j DROP
# Refuse packets claiming to be to the loopback interface.
iptables -A INPUT -i eth0 -d 127.0.0.1/27 -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i eth0 -d 192.168.1.31 -j DROP

## DNS server access (53)
# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i eth0 -p udp -s 205.152.16.20 --sport 53 -m state \
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 205.152.0.5 --sport 53 -m state \
--state ESTABLISHED -j ACCEPT

## Web sites access (80,443 tcp)
# Allow www surfing (HTTP). (80)
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state \
ESTABLISHED -j ACCEPT
# Allow secure www surfing (HTTPS). (443)
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state \
ESTABLISHED -j ACCEPT

## POP (110)
# Allow to send mail to remote server.
iptables -A INPUT -i eth0 -p tcp --sport 110 -m state --state \
ESTABLISHED -j ACCEPT

## SMTP (25)
# Allow to retrieve mail from remote server.
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state \
ESTABLISHED -j ACCEPT

## NTTP (119)
# Allow news from remote hosts.
iptables -A INPUT -i eth0 -p tcp --sport 119 -m state --state \
ESTABLISHED -j ACCEPT

## FTP (20,21,1024:65535)
# Allow ftp to remote systems. (21)
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state \
ESTABLISHED -j ACCEPT
# 1) Active ftp. (20)
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# 2) Passive ftp. (1024:65535)
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 \
  -m state --state ESTABLISHED -j ACCEPT

## IRC (6777)
# Allow xchat to access remote hosts.
iptables -A INPUT -i eth0 -p tcp --sport 6777 -m state --state \
ESTABLISHED -j ACCEPT

I'm on a private network (192.168.1.0/27) and my nfs server is (192.168.1.1/27)
I still need help with mounting nfs shares, accessing ssh remote systems,
ping and traceroute out. Can someone help me out, at least the nfs part?

Thanks, --Louis



_______________________________________________________________

Hundreds of nodes, one monster rendering program.
Now that’s a super model! Visit http://clustering.foundries.sf.net/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

          parent reply	other threads:[~2002-05-17 23:53 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <1021587354.1123.29.camel@tiger>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1021679697.5635.12.camel@tiger \
    --to=louisg00@bellsouth.net \
    --cc=nfs@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.