* Starter iptables scripts
@ 2011-05-04 23:01 Harry Putnam
2011-05-04 23:19 ` Andrew Beverley
0 siblings, 1 reply; 4+ messages in thread
From: Harry Putnam @ 2011-05-04 23:01 UTC (permalink / raw)
To: netfilter
Setup: Running Gentoo Linux
Iptables and many related parts compiled into kernel
Can anyone offer well used and vouched for URLs to iptables scripts
for a starter firewall setup?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Starter iptables scripts
2011-05-04 23:01 Starter iptables scripts Harry Putnam
@ 2011-05-04 23:19 ` Andrew Beverley
2011-05-04 23:41 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Andrew Beverley @ 2011-05-04 23:19 UTC (permalink / raw)
To: Harry Putnam; +Cc: netfilter
On Wed, 2011-05-04 at 18:01 -0500, Harry Putnam wrote:
> Setup: Running Gentoo Linux
> Iptables and many related parts compiled into kernel
>
> Can anyone offer well used and vouched for URLs to iptables scripts
> for a starter firewall setup?
>
There's plenty of stuff out there if you Google, but if you tell us
exactly what you want to achieve then we will suggest something.
A good starting point for a basic firewall is to block all incoming
unrelated requests, but let everything out. Not particularly
comprehensive, but it may suit your needs:
iptables -A INPUT -i $ext_IF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $ext_IF -j DROP
You may also want to do FORWARD if you use this as a gateway:
iptables -A FORWARD -i $ext_IF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ext_IF -j DROP
Andy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Starter iptables scripts
2011-05-04 23:19 ` Andrew Beverley
@ 2011-05-04 23:41 ` Jan Engelhardt
2011-05-05 6:03 ` Andrew Beverley
0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2011-05-04 23:41 UTC (permalink / raw)
To: Andrew Beverley; +Cc: Harry Putnam, netfilter
On Thursday 2011-05-05 01:19, Andrew Beverley wrote:
>On Wed, 2011-05-04 at 18:01 -0500, Harry Putnam wrote:
>> Setup: Running Gentoo Linux
>> Iptables and many related parts compiled into kernel
>>
>> Can anyone offer well used and vouched for URLs to iptables scripts
>> for a starter firewall setup?
>>
>
>There's plenty of stuff out there if you Google, but if you tell us
>exactly what you want to achieve then we will suggest something.
>
>A good starting point for a basic firewall is to block all incoming
>unrelated requests, but let everything out. Not particularly
>comprehensive, but it may suit your needs:
>
>iptables -A INPUT -i $ext_IF -m state \
> --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A INPUT -i $ext_IF -j DROP
-m conntrack --ctstate ... it is these days.
And beyond the first, it's all custom in a sense that scripts only
cater for a subset of cases. By the time you configured a frontend
you can end up wanting something that it cannot map, and so, one is
oftentimes better of with just writing the rules oneself, also
because then the amount of autogenerated indirections is none.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Starter iptables scripts
2011-05-04 23:41 ` Jan Engelhardt
@ 2011-05-05 6:03 ` Andrew Beverley
0 siblings, 0 replies; 4+ messages in thread
From: Andrew Beverley @ 2011-05-05 6:03 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Harry Putnam, netfilter
On Thu, 2011-05-05 at 01:41 +0200, Jan Engelhardt wrote:
>
> -m conntrack --ctstate ... it is these days.
>
Thanks Jan. I should have known that, having had it pointed out to me
once already on this list :)
Andy
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-05-05 6:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-04 23:01 Starter iptables scripts Harry Putnam
2011-05-04 23:19 ` Andrew Beverley
2011-05-04 23:41 ` Jan Engelhardt
2011-05-05 6:03 ` Andrew Beverley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).