| 1 |
On Thursday 16 November 2006 15:19, Nangus Garba wrote: |
| 2 |
> # I think that a set of rules that looks something like this would be |
| 3 |
> easier to maintain |
| 4 |
> # there are 500 little tricks that I could add if I was home and had my |
| 5 |
> notes |
| 6 |
|
| 7 |
Hey! Thanks for your help - please send some more when you get home. :) |
| 8 |
|
| 9 |
> iptables -P INPUT DROP |
| 10 |
> iptables -A INPUT -i lo -j ACCEPT |
| 11 |
|
| 12 |
The "! $iface" is meant to catch incoming packets on an external iface which |
| 13 |
have their IP address spoofed to 127.0.0.1 type of thing. Will "lo" achieve |
| 14 |
the same thing? |
| 15 |
|
| 16 |
> #this will take care of all interfaces by default |
| 17 |
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 18 |
> |
| 19 |
> # maybe you should just use one interface for portage to connect through |
| 20 |
> such as eth0 |
| 21 |
|
| 22 |
Good point. |
| 23 |
|
| 24 |
> # might also be a good plan to use the mac address instead of the ip it is |
| 25 |
> a little harder to spoof |
| 26 |
|
| 27 |
Could I use both in a single rule? |
| 28 |
|
| 29 |
> #Allow rsync connections from study1 to update portage |
| 30 |
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d |
| 31 |
> 192.168.0.5 -j ACCEPT |
| 32 |
> #Allow tcp connections from study1 to download distfiles |
| 33 |
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d |
| 34 |
> 192.168.0.5 -j ACCEPT |
| 35 |
> # these rules are kinda taken car of by: iptables -P INPUT DROP |
| 36 |
|
| 37 |
Yes, in their current format they are, but I had previously set them up to |
| 38 |
REJECT with different messages |
| 39 |
|
| 40 |
> # iptables -A INPUT -p tcp -i ${x} -j DROP |
| 41 |
> # iptables -A INPUT -p udp -i ${x} -j DROP |
| 42 |
|
| 43 |
Keep 'em coming! :) |
| 44 |
-- |
| 45 |
Regards, |
| 46 |
Mick |
Archives