Linux Firewall

---

• From: Mark Tschudin <mark@xxxxxxxxxxxxxx>
• Date: Tue, 23 May 2006 14:24:36 +0100

---

I run a stand-alone Linux workstation connected to broadband via a
nat-enabled router.

Does the following firewall script make sense to you guys(it seems to
work)? Any suggestions and comments would be much appreciated.

Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In
XP I could see and stop unnecessary services and I would like to do the
same in Suse. Which services are considered a potential security risk in
Linux/ Suse and how can they be stopped?

Mark

*************************

INTERFACE="eth0"
IPADDR="10.0.0.1"
BCASTADDR="10.0.0.255"

TCP_IN="25 80 110 119 225 443"
TCP_OUT="25 80 110 119 225 443"
UDP_IN="53 68 123 4569 5060"
UDP_OUT="53 67 123 4569 5060"

FW="usr/sbin/iptables"
NEW="${FW} --append"

$FW --flush
$FW --delete-chain

for ch in INPUT OUTPUT FORWARD; do
$FW -P $ch DROP
done

$NEW OUTPUT -p udp -d ${BCASTADDR} -j DROP

$NEW INPUT -i '!' ${INTERFACE} -j ACCEPT
$NEW INPUT -s 127.0.0.0/8 -j ACCEPT
$NEW OUTPUT -o '!' ${INTERFACE} -j ACCEPT

$NEW INPUT -s ${IPADDR} -j DROP
$NEW INPUT -d '!' ${IPADDR} -j DROP

$NEW INPUT -s 172.16.0.0/16 -j DROP
$NEW INPUT -d 172.16.0.0/16 -j DROP

$NEW INPUT -s 192.168.0.0/16 -j DROP
$NEW INPUT -d 192.168.0.0/16 -j DROP

for port in ${TCP_IN}; do
$NEW INPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT
done
for port in ${UDP_IN}; do
$NEW INPUT -p udp --sport ${port} -m state --state ESTABLISHED -j ACCEPT
done
for port in ${TCP_OUT}; do
$NEW OUTPUT -p tcp --dport ${port} -m state --state NEW,ESTABLISHED
-j ACCEPT
done

for port in ${UDP_OUT}; do
$NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED
-j ACCEPT
done

$NEW INPUT -p icmp -j DROP
$NEW OUTPUT -p icmp -j DROP

$NEW INPUT -j DROP
$NEW OUTPUT -j DROP

***********************************

Regards,

Mark
.

---

• Follow-Ups:
  • Re: Linux Firewall
    • From: Hrvoje Spoljar

• Prev by Date: Multiple new packets with ACK or ACK,FIN bits set
• Next by Date: Linux Firewall
• Previous by thread: Multiple new packets with ACK or ACK,FIN bits set
• Next by thread: Re: Linux Firewall
• Index(es):
  • Date
  • Thread

---

Relevant Pages Linux Firewall ... I run a stand-alone Linux workstation connected to broadband via a ... I have only recently migrated to Linux (Suse) from M$ XP Pro. ... for port in $; do ... $NEW OUTPUT -p icmp -j DROP ... (comp.os.linux.security) Upgrading SuSE 9.0 ... I was thinking about switching away from SuSE, ... instead as my primary installation. ... Next up I wanted to enable a firewall, and lock down my system more ... Port 22, SSH ... (alt.os.linux.suse) Re: [SLE] printer loss [susepro 9.1] ... > I found that I had added port 631 to the firewall and the ... What does the command kcmshell printmgr show? ... required that you set a cups admin passwd with lppasswd -g sys root in ... UNIX since 1989, linux since 1994, SuSE since 1998 ... (SuSE) Re: SuSE 8.2 and EFSP42 ... > I've been trying to get the SuSE to print since early this morning ... you are at a screen looking for a host name and port. ... a static IP address so I entered that in the host name box. ... If the printer is connected to parallel port 1 the port ... (alt.os.linux.suse) Re: [SLE] Switching to SUSE ... * SuSE wants you to use YOU. ... * Apt-rpm is a port of Debian's update system to RPM. ... packages, or are a beginner, YOU is the tool of your choice. ... (SuSE)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2006-05