Who can give me any existing iptables rules for reference?

Who can give me any existing iptables rules for reference?

[supercodeing35271 supercodeing35271]

Hi,i'm a rookie.As learning netfilter/iptables for the first time,i
wanna look some good existing iptables rules scripts as that i think
reading good rules scripts will be useful.
So anyone here can share some rules or tell me where to see any good
rules scripts.  I must underline that i just need some references,i do
not have any other reason about this.
Thank every one.

Re: Who can give me any existing iptables rules for reference?

[Richard Horton]

On 6 February 2010 12:50, supercodeing35271 supercodeing35271
<supercodeing35271@gmail.com> wrote:
> Hi,i'm a rookie.As learning netfilter/iptables for the first time,i
> wanna look some good existing iptables rules scripts as that i think
> reading good rules scripts will be useful.
> So anyone here can share some rules or tell me where to see any good
> rules scripts.  I must underline that i just need some references,i do
> not have any other reason about this.
> Thank every one.

What kind of rule sets are you looking for?

Rules to protect a public facing server are going to be different (to
varying degrees depending on services etc) to those for a home PC, to
those for a router/gateway.

One of the best ways to learn would be change the policies to block
then work out how to allow the traffic you want to flow around while
not opening up what you don't want...

For instance...

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Lines 1 to 3 changes the policy to DROP  (You can only use DROP or
ACCEPT as policies) and lines 4 and 5 enable the loopback interface.

(Drop == silently discard packets without notifying the originator,
Accept == allow packet through firewall, Reject == Returns an ICMP
message to the orgination, you can vary the return message).


-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

Re: Who can give me any existing iptables rules for reference?

[/dev/rob0]

On Sat, Feb 06, 2010 at 08:50:20PM +0800, supercodeing35271
   supercodeing35271 wrote:
> Hi,i'm a rookie.As learning netfilter/iptables for the first time, 
> i wanna look some good existing iptables rules scripts as that i 
> think reading good rules scripts will be useful.

A problem in that is that a script is not typically the best way to
load a set of rules. Race conditions can occur when more than one
trigger invokes the firewall script, when the first instance wasn't
completed yet. iptables-restore(8) (of a ruleset which had been
saved with iptables-save(8)) is the solution to this problem; it
loads the entire ruleset into memory atomically.

I think a lot of folks who want to learn firewall skills get caught
up in trying to do fancy bash(1) things. And way too many of the
ready-made firewall scripts I have seen are clueless and over-
complicated with silly shell tricks.

> So anyone here can share some rules or tell me where to see any 
> good rules scripts.  I must underline that i just need some 
> references, i do not have any other reason about this.

I would start with a tutorial such as the ones at netfilter.org and
Oskar's frozentux tutorial. Those are slightly out of date, but
should still give you a good start. The man page is maintained, and
should be a good reference for syntax and application of the various
match and target extensions.

Unfortunately I am not aware of a good, up-to-date basic tutorial
that I could recommend. I have not had the time to try to start one,
myself.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Who can give me any existing iptables rules for reference?

[supercodeing35271 supercodeing35271]

Thank you for your advice,seem that i should

On Mon, Feb 8, 2010 at 12:15 AM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Sat, Feb 06, 2010 at 08:50:20PM +0800, supercodeing35271
>   supercodeing35271 wrote:
>> Hi,i'm a rookie.As learning netfilter/iptables for the first time,
>> i wanna look some good existing iptables rules scripts as that i
>> think reading good rules scripts will be useful.
>
> A problem in that is that a script is not typically the best way to
> load a set of rules. Race conditions can occur when more than one
> trigger invokes the firewall script, when the first instance wasn't
> completed yet. iptables-restore(8) (of a ruleset which had been
> saved with iptables-save(8)) is the solution to this problem; it
> loads the entire ruleset into memory atomically.
>
> I think a lot of folks who want to learn firewall skills get caught
> up in trying to do fancy bash(1) things. And way too many of the
> ready-made firewall scripts I have seen are clueless and over-
> complicated with silly shell tricks.
>
>> So anyone here can share some rules or tell me where to see any
>> good rules scripts.  I must underline that i just need some
>> references, i do not have any other reason about this.
>
> I would start with a tutorial such as the ones at netfilter.org and
> Oskar's frozentux tutorial. Those are slightly out of date, but
> should still give you a good start. The man page is maintained, and
> should be a good reference for syntax and application of the various
> match and target extensions.
>
> Unfortunately I am not aware of a good, up-to-date basic tutorial
> that I could recommend. I have not had the time to try to start one,
> myself.
> --
>    Offlist mail to this address is discarded unless
>    "/dev/rob0" or "not-spam" is in Subject: header
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Who can give me any existing iptables rules for reference?

[Mart Frauenlob]

On 06.02.2010 13:50, netfilter-owner@vger.kernel.org wrote:
> Hi,i'm a rookie.As learning netfilter/iptables for the first time,i
> wanna look some good existing iptables rules scripts as that i think
> reading good rules scripts will be useful.
> So anyone here can share some rules or tell me where to see any good
> rules scripts.  I must underline that i just need some references,i do
> not have any other reason about this.
> Thank every one.

Hello,

you need to understand the concepts for writing good rule-sets.
Example scripts of course will help to understand.

Here's a tutorial (not 100% up to date) including sample scripts:
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

You might also read this one:
http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf

One page generally helpful:
http://www.linux-ip.net/

Also i think there are O'reilly books out there.

Best regards

Mart

Re: Who can give me any existing iptables rules for reference?

[Gerardo Fernandez]

On Tue, Feb 9, 2010 at 5:53 PM, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> On 06.02.2010 13:50, netfilter-owner@vger.kernel.org wrote:
>> Hi,i'm a rookie.As learning netfilter/iptables for the first time,i
>> wanna look some good existing iptables rules scripts as that i think
>> reading good rules scripts will be useful.
>
> you need to understand the concepts for writing good rule-sets.
> Example scripts of course will help to understand.
>
> Here's a tutorial (not 100% up to date) including sample scripts:
> http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
>

Oskar Andreasson tutorial is a big source of information not only
about iptables, but also about TCP/IP. Too deep in my opinion for
students trying to learn the basics. Being a teacher but not an expert
in iptables, I use the following notes as an introductory tutorial to
Netfilter/iptables:

http://www.ajedrezvasco.com/infor/iptables_basics.htm

In a really simplified way, I try to make my students grasp the basics
ideas. Any feedback, correction, sugestion, etc, is welcome and will
be included when I teach it again in a month or so.

-- 
Saludos.
Gerardo Fernandez
http://www.ajedrezvasco.com