[olug] help with iptables firewall
Chris St. Pierre
stpierre at NebrWesleyan.edu
Tue Jul 24 20:16:43 UTC 2007
On Tue, 24 Jul 2007, Ryan Stille wrote:
> I have a server that has 1 physical network interface. It has an
> internal IP address on our network. I want to add a public IP as an ip
> alias, then we'll set that IP up in our router as a DMZ. So I need to
> setup a firewall on the local machine to block most ports on the public
> IP. I've come up with this:
>
> iptables -F
> iptables -A INPUT -p TCP -d $PUB_IP -s 0/0 --destination-port 80 -j ACCEPT
> iptables -A INPUT -p ALL -d $PUB_IP -j DROP
>
> It appears to work. Am I missing something?
Yes, probably. If you have MTU negotiations, for instance, that will
get blocked by this; you should include
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
You may also want to allow established connections to be preserved:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
In the end, I'd make your script look like this:
iptables -F
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -d $PUB_IP -j DROP
HTH.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
----------------------------
LOPSA Sysadmin Days: Professional Training for Professional SysAdmins
August 6-7, Cherry Hill, NJ
http://lopsa.org/SysadminDays
More information about the OLUG
mailing list