1 |
On Thursday 16 November 2006 15:19, Nangus Garba wrote: |
2 |
> # I think that a set of rules that looks something like this would be |
3 |
> easier to maintain |
4 |
> # there are 500 little tricks that I could add if I was home and had my |
5 |
> notes |
6 |
|
7 |
Hey! Thanks for your help - please send some more when you get home. :) |
8 |
|
9 |
> iptables -P INPUT DROP |
10 |
> iptables -A INPUT -i lo -j ACCEPT |
11 |
|
12 |
The "! $iface" is meant to catch incoming packets on an external iface which |
13 |
have their IP address spoofed to 127.0.0.1 type of thing. Will "lo" achieve |
14 |
the same thing? |
15 |
|
16 |
> #this will take care of all interfaces by default |
17 |
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
18 |
> |
19 |
> # maybe you should just use one interface for portage to connect through |
20 |
> such as eth0 |
21 |
|
22 |
Good point. |
23 |
|
24 |
> # might also be a good plan to use the mac address instead of the ip it is |
25 |
> a little harder to spoof |
26 |
|
27 |
Could I use both in a single rule? |
28 |
|
29 |
> #Allow rsync connections from study1 to update portage |
30 |
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d |
31 |
> 192.168.0.5 -j ACCEPT |
32 |
> #Allow tcp connections from study1 to download distfiles |
33 |
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d |
34 |
> 192.168.0.5 -j ACCEPT |
35 |
> # these rules are kinda taken car of by: iptables -P INPUT DROP |
36 |
|
37 |
Yes, in their current format they are, but I had previously set them up to |
38 |
REJECT with different messages |
39 |
|
40 |
> # iptables -A INPUT -p tcp -i ${x} -j DROP |
41 |
> # iptables -A INPUT -p udp -i ${x} -j DROP |
42 |
|
43 |
Keep 'em coming! :) |
44 |
-- |
45 |
Regards, |
46 |
Mick |