[ale] iptables

Ken Ratliff forsaken at targaryen.us
Fri Jan 16 16:57:22 EST 2009


Actually, let me refine this a bit...

Set your rules up the way you want them once.

Then use iptables-save and redirect the output to a file.

Then use a script (either the if-up.d and interfaces file method you  
found, or the if-pre-up.d method I use) to load those rules at boot  
time.

Or you could be really fancy and pull the rules from a mysql database  
at bootup :)


On Jan 16, 2009, at 4:43 PM, Ken Ratliff wrote:

> assuming it's debian, this is how I do it -
>
> In /etc/network/if-pre-up.d, I have a scrip called iptables that  
> contains the following -
>
> #!/bin/bash
> /sbin/iptables-restore < /etc/iptables.up.rules
> echo Restoring iptables rules...
>
> And my iptables.up.rules is of this format -
>
> *filter
> :fail2ban-ssh - [0:0]
> -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-ssh
> -A fail2ban-ssh -j RETURN
> #  Allows all loopback (lo0) traffic and drop all traffic to 127/8  
> that doesn't use lo0
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
>
>
> #  Accepts all established inbound connections
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> #  Allows all outbound traffic
> #  You can modify this to only allow certain traffic
> -A OUTPUT -j ACCEPT
>
>
> # Allows HTTP and HTTPS connections from anywhere (the normal ports  
> for websites)
> -A INPUT -p tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp --dport 443 -j ACCEPT
>
> And so on and so forth.
>
> So it brings the fire wall rules up before it brings the interfaces  
> up, and I can use the script to add or restore rules as needed. Just  
> have to be careful not to do something stupid that will lock me out.
>
> On Jan 16, 2009, at 3:38 PM, Paul Cartwright wrote:
>
>> I setup a web server, and ran this command:
>> iptables -I INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j  
>> ACCEPT
>>
>> so now you can get to my web server from other PCs.. but when I  
>> rebooted, I
>> had to run that command again.
>> where do I put this command, so it will be there NEXT time I reboot??
>>
>> I setup nginx and gallery2 to put up almost instant pictures on a  
>> web site..
>> fast and easy ( when iptables lets you GET to it..)
>>
>> -- 
>> Paul Cartwright
>> Registered Linux user # 367800
>> Registered Ubuntu User #12459
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090116/083a71b8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090116/083a71b8/attachment.bin 


More information about the Ale mailing list