From: Alistair Tonner <Alistair@nerdnet.ca>
To: "Robert P. J. Day" <rpjday@mindspring.com>,
Chris Brenton <cbrenton@chrisbrenton.org>
Cc: Gilles Yue <gyue@novelgmt.intnet.mu>,
iptables mailing list <netfilter@lists.netfilter.org>
Subject: Re: iptables scripts
Date: Fri, 31 Oct 2003 08:54:34 -0500 [thread overview]
Message-ID: <200310310854.34327.Alistair@nerdnet.ca> (raw)
In-Reply-To: <Pine.LNX.4.44.0310310819220.6460-100000@localhost.localdomain>
On October 31, 2003 08:22 am, Robert P. J. Day wrote:
> On 31 Oct 2003, Chris Brenton wrote:
> > On Fri, 2003-10-31 at 07:26, Robert P. J. Day wrote:
> > > for the iptables tutorial i was talking about that i'm giving on
> > > monday, here's the first part of my script, just to show folks what
> > > they can do:
> >
> > This is *totally* cool. Thank you for sharing this with the list! :)
> >
> > The only thing I would add would be:
> > iptables -F INPUT
> > iptables -F OUTPUT
> > iptables -F FORWARD
> > iptables --table nat --flush
> >
> > or what ever you need. This way you can run it from the command line and
> > clear out all existing rules before you write everything back in.
>
> ah, grasshopper, i didn't show you the other two scripts i'm going
> to demo. first, there's the lockdown script, to be run if you realize
> you've been hacked:
You might NOT want to run this from ssh sessions!!!
*grin* ... sure to most of us this is obvious....not
however to everyone ...
> ---------------------------------------------------------
> #!/bin/sh
>
> # PANIC! Lock the machine down.
>
> IPT="/sbin/iptables"
>
> # Flush all chains.
>
> $IPT -F # by default filter
> $IPT -t nat -F
> $IPT -t mangle -F
>
> # Delete all user-defined chains.
>
> for table in filter nat mangle ; do
> $IPT -t $table -X
> done
>
> # Reset all policies to DROP.
>
> for chain in INPUT OUTPUT FORWARD ; do
> $IPT -P $chain DROP
> done
>
> echo "System totally locked down."
> -----------------------------------------------------------
>
> and then there's the "clear all" script, which you would run
> if you made a total mess of your rules and just want to clear
> them out:
>
> ----------------------------------------------------------
> #!/bin/sh
>
> # PANIC! We've screwed up our tables.
>
> IPT="/sbin/iptables"
>
> # Flush all chains.
>
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
>
> # Delete all user-defined chains.
>
> for table in filter nat mangle ; do
> $IPT -t $table -X
> done
>
> # Reset all policies to ACCEPT.
>
> for chain in INPUT OUTPUT FORWARD ; do
> $IPT -P $chain ACCEPT
> done
>
> echo "System totally open, you are now fair game."
> -------------------------------------------------
>
> the tutorial will suggest that users can incorporate
> the above in their main script any way they want.
>
> rday
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
next prev parent reply other threads:[~2003-10-31 13:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-31 11:25 iptables scripts Gilles Yue
2003-10-31 12:12 ` Chris Brenton
2003-10-31 12:26 ` Robert P. J. Day
2003-10-31 13:11 ` Chris Brenton
2003-10-31 13:22 ` Robert P. J. Day
2003-10-31 13:54 ` Alistair Tonner [this message]
2003-10-31 13:55 ` Robert P. J. Day
2003-10-31 13:56 ` Achim Dreyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200310310854.34327.Alistair@nerdnet.ca \
--to=alistair@nerdnet.ca \
--cc=cbrenton@chrisbrenton.org \
--cc=gyue@novelgmt.intnet.mu \
--cc=netfilter@lists.netfilter.org \
--cc=rpjday@mindspring.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox