next up previous contents home.gif
Next: Printing Up: Extra Configurations and Software Previous: Extra Configurations and Software   Contents

Firewall

I looked around and found several sites with firewall info here and here. So I cobbled an rc.firewall script together and made it executable. rc.inet2 takes care of launching this at boot. Note that with the default setup this means you network interface will be brought up before the firewall by a few seconds. I didn't sweet it.


==========================================================================

rc.firewall
	#!/bin/sh
#
#

DNS1=192.168.1.1
NMSRV=207.217.77.82
LOCALHOST=127.0.0.1
LOCALNET=192.168.0.0/24

firewall_start(){

                                # Here we go...
                                echo "Firewall: rc.firewall started"
                                
                                # Configure default policies (-P), meaning default rule to apply if no
                                # more specific rule below is applicable.  These rules apply if a more specific rule below
                                # is not applicable.  Defaults are to DROP anything sent to firewall or internal
                                # network, permit anything going out.
                                iptables -P INPUT DROP
                                iptables -P FORWARD DROP
                                iptables -P OUTPUT ACCEPT

                                # Flush (-F) all specific rules
                                iptables -F INPUT 
                                iptables -F FORWARD 
                                iptables -F OUTPUT 
                                iptables -F -t nat

        					iptables -A INPUT   -s $LOCALHOST -j ACCEPT
       					iptables -A INPUT   -s $HOSTNAME -j ACCEPT
        					#iptables -A INPUT   -s $DNS1 -j ACCEPT
       					#iptables -A INPUT   -s $NMSRV -j ACCEPT
                                
                                #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
                                #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
                         	  #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
                                #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp --dport 113
                                iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
}

firewall_stop(){
        iptables -F
        iptables -X
        iptables -P INPUT   ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT  ACCEPT
}

case "$1" in
 'start')
        firewall_start
        ;;
 'stop')
        firewall_stop
        ;;
  'restart')
        firewall_stop; firewall_start
        ;;
      *)
        iptables -L -n
esac

==========================================================================
Basically this reject everything not from the local machine or a returning contact originated from your machine. So things like name request, email, web browsing, outgoing ssh, all work fine, but all incoming request not initiated by you are dropped.



Douglas Dawson 2004-03-31