andy at lug.org.uk
Fri Apr 18 13:15:01 BST 2008
On Fri, Apr 18, 2008 at 11:51:19AM +0100, Chris Rowson wrote:
> Just a quicky. I've been mucking around with iptables for a while, but I'm
> still a bit shaky with them. Would anyone mind checking this over for me
Looks pretty good. I would add RELATED to the ESTABLISHED bit so
that it also works for protocols other than TCP, and I'd put that
line first so that packets exit the firewall sooner (most packets
will match an established or related flow).
echo "Applying firewall rules"
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -j DROP
echo "Rules applied"
You may then want to restrict teh ssh line to SYN packets since if it's
not a SYN it shouldn't have got that far, but that's just being
> On a side note, I've added a symbolic link called S95firewall to this script
> in /etc/rc2.d/, but it doesn't seem to run this script at startup? Any ideas
> what I'm doing wrong?
Not sure, but I usually prefer to do it from
iface eth0 inet static
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20080418/0f65f0af/attachment.pgp
More information about the ubuntu-uk