Here is a skeleton firewall script for you to use. Just call the following firewall script from boot.local, using the full pathname to your firewall script, and exiting with a valid code. USE AND MODIFY AT YOUR OWN RISK!!! #! /bin/bash # file-id: /path/to/firewall/script/firewall # # custom script to start iptables packet filter firewall rules # # run from /etc/init.d/boot.local # # ADSL-Modem version # # last updated 02-FEB-2004 # #------------------------------------------------------# echo; echo "======================================================================="; echo "Running /path/to/firewall/script/firewall" echo " - Initial status of firewall is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of FILTER table iptables -t filter -L -v #------------------------------------------------------# #------------------------------------------------------# # flush ALL rules in ALL tables iptables -t nat -F iptables -t mangle -F iptables -t filter -F # clear packet & byte counters iptables -t nat -Z iptables -t mangle -Z iptables -t filter -Z # delete ALL user-defined chains in ALL tables iptables -t nat -X iptables -t mangle -X iptables -t filter -X #------------------------------------------------------# echo; echo "======================================================================="; echo "Starting up my own custom firewall now!" echo "======================================================================="; echo; #------------------------------------------------------# #******************************************************# # NAT table rules # #******************************************************# # NOT USED #******************************************************# # MANGLE table rules # #******************************************************# # NOT USED #******************************************************# # FILTER table rules # #******************************************************# #------------------------------------------------------# # set default policy for INPUT & FORWARD chains to DROP iptables -P INPUT DROP iptables -P FORWARD DROP #------------------------------------------------------# # LOG all packets coming through the INPUT chain - should disable this really iptables -A INPUT -j LOG --log-prefix 'FILTER-INPUT PKTS ' #------------------------------------------------------# # LOG all packets going through the FORWARD chain - should disable this really iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS ' #------------------------------------------------------# # LOG all packets going through the OUTPUT chain - should disable this really iptables -A OUTPUT -j LOG --log-prefix 'FILTER-OUTPUT PKTS ' #------------------------------------------------------# # Put the rest of your firewall script here #------------------------------------------------------# echo; echo "======================================================================="; echo "New status of firewall using my own custom rules is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table - new rules" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of FILTER table iptables -L -v #------------------------------------------------------# # exit with a valid code exit 0 #------------------------------------------------------# # end of firewall # On Thu, 5 Feb 2004, David Piniella wrote:
To: suse-security@suse.com From: David Piniella <dpiniell@newssun.med.miami.edu> Subject: Re: [suse-security] Is it iptables enough?
To make sure that nothing is in there that isn't supposed to be and to bring it to a known clean state. It's often setup so that you run a script that flushes the firewall rules and then inserts the ruleset you want in there (as a bootscript in rc.d, usually). alternately, this approach also means that an emergency reboot will kill whatever the firewall rules were (if you suspect they were bad).
-- David
Kind Regards - Keith Roberts.