From dulugger@robstarling.org Wed Jan 22 16:56:06 2003
Date: Wed, 22 Jan 2003 11:47:18 -0800
From: Rob Starling <dulugger@robstarling.org>
To: Dulug MailingList <dulug@dulug.duke.edu>
Subject: Re: [Dulug] iptables

Why opt-out?  don't half-ass this -- opt-in.

you want:  "imaps, pop3s, sshd, httpd (http/https), and sendmail"

so,
$ cat /etc/init.d/firewall
#! /bin/sh
#
# allow incoming ssh, http(s), smtp, imaps, pop3s
iptables -A INPUT --proto tcp --destination-port 22 -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 80 -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 443 -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 25 -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 993 -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 995 -j ACCEPT
#
# and NOTHING else incoming.
iptables -A INPUT --in-interface eth0 --proto tcp --syn -j REJECT
ipchains -A input --in-interface eth0 --proto udp -j REJECT
#
# if you need high-port udp traffic, change the last line to this:
ipchains -A input --in-interface eth0 --proto udp --destination-port 1:1024 -j REJECT


in any case, the point is that this is a *server* -- you don't
want it doing anything without your permission.

--Rob

-- 
/-------------------------------------------------------------\
| "If we couldn't laugh we would all go insane"               |
|              --Jimmy Buffett,                               |
|                "Changes in Latitudes, Changes in Attitudes" |
\-------------------------------------------------------------/

_______________________________________________
Dulug mailing list
Dulug@dulug.duke.edu
http://lists.dulug.duke.edu/mailman/listinfo/dulug
