[ale] iptables

Ken Ratliff forsaken at targaryen.us
Fri Jan 16 16:43:46 EST 2009


assuming it's debian, this is how I do it -

In /etc/network/if-pre-up.d, I have a scrip called iptables that  
contains the following -

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
echo Restoring iptables rules...

And my iptables.up.rules is of this format -

*filter
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8  
that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports  
for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

And so on and so forth.

So it brings the fire wall rules up before it brings the interfaces  
up, and I can use the script to add or restore rules as needed. Just  
have to be careful not to do something stupid that will lock me out.

On Jan 16, 2009, at 3:38 PM, Paul Cartwright wrote:

> I setup a web server, and ran this command:
> iptables -I INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j  
> ACCEPT
>
> so now you can get to my web server from other PCs.. but when I  
> rebooted, I
> had to run that command again.
> where do I put this command, so it will be there NEXT time I reboot??
>
> I setup nginx and gallery2 to put up almost instant pictures on a  
> web site..
> fast and easy ( when iptables lets you GET to it..)
>
> -- 
> Paul Cartwright
> Registered Linux user # 367800
> Registered Ubuntu User #12459
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090116/9cc00c73/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090116/9cc00c73/attachment-0001.bin 


More information about the Ale mailing list