Setting up a local firewall

Bjørn Ruberg bjorn at ruberg.no
Mon Aug 1 14:49:53 CEST 2005


Bryan Christ <bryan.christ at filefront.com> writes:

> I locked myself out of  my server until I rebooted it.  My goal was to lock down everything and allow only SSH connectivity.  Can anyone show me where my logic went wrong?  Here was the fatal script which I wrote:
> 
> /sbin/iptables -F INPUT
> /sbin/iptables -A INPUT -s 0/0 -j DROP

First, you drop EVERYTHING from EVERYWHERE.

> /sbin/iptables -A INPUT -s 0/0 -m state  --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT

Then you allow SSH from everywhere else, which is... NOWHERE.

> My guess is that I missed accepting syn packets, but I'm not ready to "try" again.

Instead, get familiar with the principle that "order does matter".

-- 
Bjørn




More information about the netfilter mailing list