would like advice on paranoid host-based iptables rules

amir amire a31r at hotmail.com
Sat Nov 5 00:41:08 CET 2005


I need to run the script again after the ip-address supplied by the 
cablemodem is changed to the comcast address. Is there a way to supply the 
new address automatically? Besides that is works OK.

What would be the most paranoid host based iptables ruleset you can have and 
still get access to the web and dhcp and whatever else those two things 
need?

#!/bin/sh
IPT='/sbin/iptables'
IN='-A INPUT'
OUT='-A OUTPUT'
ALLOW='-j ACCEPT'
BLOCK='-j DROP'
STATE='-m state --state'
EXTADDR=`ifconfig eth0 | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 
}'`
$IPT -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT $IN $STATE INVALID,NEW $BLOCK
$IPT $IN $STATE ESTABLISHED -i eth0 -d $EXTADDR -s ! $EXTADDR $ALLOW
$IPT $IN $BLOCK
$IPT $OUT $STATE INVALID $BLOCK
$IPT $OUT $STATE NEW,ESTABLISHED -o eth0 -s $EXTADDR  -d ! $EXTADDR $ALLOW
$IPT $OUT $BLOCK

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the netfilter mailing list