Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 82)

8.10.4. iptables mini−me

Just to demonstrate how succinctly iptables can be configured in a minimalist situation, the below is from the

Netfilter team's Rusty's Really Quick Guide To Packet Filtering:

"Most people just have a single PPP connection to the Internet, and don't want anyone

coming back into their network, or the firewall:"

## Insert connection−tracking modules (not needed if built into kernel).

insmod ip_conntrack

insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from inside.

iptables −N block

iptables −A block −m state −−state ESTABLISHED,RELATED −j ACCEPT

iptables −A block −m state −−state NEW −i ! ppp0 −j ACCEPT

iptables −A block −j DROP

## Jump to that chain from INPUT and FORWARD chains.

iptables −A INPUT −j block

iptables −A FORWARD −j block

This simple script will allow all outbound connections that we initiate, i.e. any NEW connections (since the

default policy of ACCEPT is not changed). Then any connections that are "ESTABLISHED" and

"RELATED" to these are also allowed. And, any connections that are not incoming from our WAN side

interface, ppp0, are also allowed. This would be lo or possibly a LAN interface like eth1. So we can do

whatever we want, but no unwanted, incoming connection attempts are allowed from the Internet. None.

This script also demonstrates the creation of a custom chain, defined here as "block", which is used both for

the INPUT and FORWARD chains.

Security Quick−Start HOWTO for Red Hat Linux

8.10.4. iptables mini−me 79

1 2 ... 77 78 79 80 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 82