Re: iptables scripts - Alistair Tonner

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alistair Tonner <Alistair@nerdnet.ca>
To: "Robert P. J. Day" <rpjday@mindspring.com>,
	Chris Brenton <cbrenton@chrisbrenton.org>
Cc: Gilles Yue <gyue@novelgmt.intnet.mu>,
	iptables mailing list <netfilter@lists.netfilter.org>
Subject: Re: iptables scripts
Date: Fri, 31 Oct 2003 08:54:34 -0500	[thread overview]
Message-ID: <200310310854.34327.Alistair@nerdnet.ca> (raw)
In-Reply-To: <Pine.LNX.4.44.0310310819220.6460-100000@localhost.localdomain>

On October 31, 2003 08:22 am, Robert P. J. Day wrote:
> On 31 Oct 2003, Chris Brenton wrote:
> > On Fri, 2003-10-31 at 07:26, Robert P. J. Day wrote:
> > > for the iptables tutorial i was talking about that i'm giving on
> > > monday, here's the first part of my script, just to show folks what
> > > they can do:
> >
> > This is *totally* cool. Thank you for sharing this with the list! :)
> >
> > The only thing I would add would be:
> > iptables -F INPUT
> > iptables -F OUTPUT
> > iptables -F FORWARD
> > iptables --table nat --flush
> >
> > or what ever you need. This way you can run it from the command line and
> > clear out all existing rules before you write everything back in.
>
> ah, grasshopper, i didn't show you the other two scripts i'm going
> to demo.  first, there's the lockdown script, to be run if you realize
> you've been hacked:





	You might NOT want to run this from ssh sessions!!!
              *grin* ... sure to most of us this is obvious....not 
	however to everyone ... 

> ---------------------------------------------------------
> #!/bin/sh
>
> # PANIC!  Lock the machine down.
>
> IPT="/sbin/iptables"
>
> # Flush all chains.
>
> $IPT -F			# by default filter
> $IPT -t nat -F
> $IPT -t mangle -F
>
> # Delete all user-defined chains.
>
> for table in filter nat mangle ; do
> 	$IPT -t $table -X
> done
>
> # Reset all policies to DROP.
>
> for chain in INPUT OUTPUT FORWARD ; do
> 	$IPT -P $chain DROP
> done
>
> echo "System totally locked down."
> -----------------------------------------------------------
>
>   and then there's the "clear all" script, which you would run
> if you made a total mess of your rules and just want to clear
> them out:
>
> ----------------------------------------------------------
> #!/bin/sh
>
> # PANIC!  We've screwed up our tables.
>
> IPT="/sbin/iptables"
>
> # Flush all chains.
>
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
>
> # Delete all user-defined chains.
>
> for table in filter nat mangle ; do
> 	$IPT -t $table -X
> done
>
> # Reset all policies to ACCEPT.
>
> for chain in INPUT OUTPUT FORWARD ; do
> 	$IPT -P $chain ACCEPT
> done
>
> echo "System totally open, you are now fair game."
> -------------------------------------------------
>
>   the tutorial will suggest that users can incorporate
> the above in their main script any way they want.
>
> rday

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

next prev parent reply	other threads:[~2003-10-31 13:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-31 11:25 iptables scripts Gilles Yue
2003-10-31 12:12 ` Chris Brenton
2003-10-31 12:26   ` Robert P. J. Day
2003-10-31 13:11     ` Chris Brenton
2003-10-31 13:22       ` Robert P. J. Day
2003-10-31 13:54         ` Alistair Tonner [this message]
2003-10-31 13:55           ` Robert P. J. Day
2003-10-31 13:56         ` Achim Dreyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200310310854.34327.Alistair@nerdnet.ca \
    --to=alistair@nerdnet.ca \
    --cc=cbrenton@chrisbrenton.org \
    --cc=gyue@novelgmt.intnet.mu \
    --cc=netfilter@lists.netfilter.org \
    --cc=rpjday@mindspring.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.