Tips for script

Tips for script

[Jacob Friis Larsen]

Would this script work like this:
- Allow all outgoing.
- Allow all to port 80, 21, 22, 25, 143

What else does it do?
Any tips?

I got it from http://iptables-script.dk/index1.php

Thanks,
Jacob


#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

WAN_IP='x.x.x.x'
WAN_NIC='eth0'

# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 143

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Re: Tips for script

[Antony Stone]

On Thursday 05 August 2004 1:04 am, Jacob Friis Larsen wrote:

> Would this script work like this:
> - Allow all outgoing.
> - Allow all to port 80, 21, 22, 25, 143

Yes.

> What else does it do?

It enables packet forwarding for no apparent reason, as the machine has only 
one interface and the FORWARD chain has a default DROP policy with no rules.

It also loads the ip_nat_ftp module for no purpose, since the machine does not 
do nat.

> Any tips?

Personally I'd put the ESTABLISHED,RELATED rule first, for efficiency.

You might want to allow loopback packets as well, depending on what 
applications you're running on the machine.

iptables -A INPUT -i lo -j ACCEPT

Regards,

Antony.

> #!/bin/sh
>
> # iptables script generator: V0.1-2002
> # Comes with no warranty!
> # e-mail: michael@1go.dk
>
> # Diable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> WAN_IP='x.x.x.x'
> WAN_NIC='eth0'
>
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
>
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> # Open ports on router for server/services
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
>
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Tips for script

[Gavin Hamill]

On Thursday 05 August 2004 01:04, Jacob Friis Larsen wrote:
> Would this script work like this:
> - Allow all outgoing.
> - Allow all to port 80, 21, 22, 25, 143

Yes. Be aware that it will only affect packets coming from or going into that 
actual machine - it will completely forbird any 'forward' traffic to other 
hosts on the network going through that box. 

> echo 1 > /proc/sys/net/ipv4/ip_forward

This line is redundant, since setting the default policy in the FORWARD table 
to be DROP will not permit any packets to be forwarded.

If this is what you want, I'd just leave /proc/sys/net/ipv4/ip_forward set to 
zero :)

gdh