01-20-2010, 05:48 AM
Hey.
I found this video on youtube and got a great deal of knowledge off of it, so I thought why not share.
He explains what he does very well and even a total beginner to linux should be able to keep up with him.
What wiki has to say about Iptables : "iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall."
http://en.wikipedia.org/wiki/Iptables
It's a 3 part series.
First part :
Second part :
Final Installment :
In his videos he uses vi to write the script. I advice new linux users to use gedit. You just replace the vi with gedit and you're good to go.
Here is the final script :
And you can find the transcript to everything he does here : http://dark-code.bulix.org/fl04jo-68849?raw
All credits go to linuxjournalonline ( http://www.youtube.com/user/linuxjournalonline )
Hope this is helpful for some of you
I found this video on youtube and got a great deal of knowledge off of it, so I thought why not share.
He explains what he does very well and even a total beginner to linux should be able to keep up with him.
What wiki has to say about Iptables : "iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall."
http://en.wikipedia.org/wiki/Iptables
It's a 3 part series.
First part :
Spoiler (Click to View)
Second part :
Spoiler (Click to View)
Final Installment :
Spoiler (Click to View)
In his videos he uses vi to write the script. I advice new linux users to use gedit. You just replace the vi with gedit and you're good to go.
Here is the final script :
Code:
#!/bin/sh
IPT=/sbin/iptables
$IPT -F
#policies
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -N SERVICES
#drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
#limit ping requests
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
#drop bogus packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES
#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT
And you can find the transcript to everything he does here : http://dark-code.bulix.org/fl04jo-68849?raw
All credits go to linuxjournalonline ( http://www.youtube.com/user/linuxjournalonline )
Hope this is helpful for some of you