# /etc/sysconfig/iptables # # IPTABLES sample config file for workstation # # Make sure you fix the appropriate <IPADDR> sections below, and add # duplicate entries as necessary (with different IPADDR's of course) # created by Bryan Cardillo # modified by Daniel Widyono # default policy - deny # # allow unrestricted icmp (should be tightened) # allow in/out dns to name servers # allow in/out ntp to ntp servers # allow unrestricted ssh out # allow ssh in from designated hosts # allow unrestricted in/out from internal interfaces # allow amanda server to contact and backup local filesystems # allow http, https access out # allow lpr client out # allow ftp client out *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]# LOGGING / DEBUGGING
-N accept-n-log -A accept-n-log -j LOG --log-level 4 --log-prefix "accept-n-log:" -A accept-n-log -j ACCEPT -N drop-n-log -A drop-n-log -j LOG --log-level 4 --log-prefix "drop-n-log:" -A drop-n-log -j DROP# internal interfaces
-A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT# all outgoing
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT# icmp
-A INPUT -p icmp -j ACCEPT# ssh client
-A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT# http client
-A INPUT -p tcp -m tcp --sport http --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport https --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state --state ESTABLISHED -j ACCEPT# lpr client
-A INPUT -p tcp -m tcp --sport printer -m state --state ESTABLISHED -j ACCEPT# ftp client (active and passive)
-A INPUT -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT# IMAP+SSL
-A INPUT -p tcp -m tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT# auth service (identd), for tcp_wrapper'ed services which insist on checking # Note: it might be possible to just have -A INPUT -j DENY instead, haven't # tried that yet
-A INPUT -p tcp -m tcp --dport auth -m state --state NEW,ESTABLISHED -j ACCEPT# Outbound SMTP / e-mail
-A INPUT -p tcp -m tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT# ntp client # These entries need to match /etc/ntp.conf server entries (see also # the restrict entries in ntp.conf if you are restricting all by default)
-A INPUT -s <IPADDR> -p udp -m udp --sport 123 -j ACCEPT# dns client # These entries need to match /etc/resolv.conf nameserver entries (if you # use DHCP, you'll need to modify /etc/init.d/iptables to dynamically create # these entries, or else open port 53 to a range of IP addresses)
-A INPUT -s <IPADDR> -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT# amanda client (Yuck! This should be cleaned up and debugged some more)
-A INPUT -s <IPADDR> -p udp -m udp --dport amanda -j ACCEPT -A INPUT -s <IPADDR> -p tcp -m tcp --dport 1024: -j ACCEPT # debug any straggling issues -A INPUT -s <IPADDR> -j accept-n-log -A OUTPUT -d <IPADDR> -p udp -j accept-n-log# rsync client (not typically needed, but just another simple example)
# -A INPUT -p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT# ssh server (one entry for each allowable client/subnet)
-A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG --log-prefix "iptables(ssh connection): " -A INPUT -s <IPADDR> -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT# http server (Obviously commented out by default)
# -A INPUT -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport 1024: --dport https -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport 1024: --dport webcache -m state --state NEW,ESTABLISHED -j ACCEPT# smtp server (Obviously commented out by default)
# -A INPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -m tcp --sport auth -m state --state ESTABLISHED -j ACCEPT# debugging (or to help add new services / clients)
# -A INPUT -m state --state ESTABLISHED,RELATED -j accept-n-log # -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j accept-n-log# debugging (or to find stray virii / rider programs)
# -A OUTPUT -p tcp -j drop-n-log ref.:http://www.liniac.upenn.edu/sysadmin/security/iptables.html
2009年9月16日
Sample IPTABLES configuration for workstation
訂閱:
張貼留言 (Atom)
Status
subscribe
發表文章
留言
沒有留言:
張貼留言