iptables

hello

I'd just like to delurk and say thanks to Tim who posted the script
reattached below

I've run nmap from a remote machine and all seems fine now.
Well, as fine as I can tell ;-).

Lesley

-----------------------------------------

#!/bin/sh

#Tim's firewalling script with iptables
#Assumes a 10/8 LAN on eth0 and dialup IP on ppp0

#Be secure, ish
PATH=/sbin:$PATH; export PATH

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat

hostname=`hostname`
any="0.0.0.0/0.0.0.0"

#Flush things
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -N DLOG

# anti-spoofing rule
iptables -A block -m state --state INVALID -j DLOG

#Continuations
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

#Loopback is a bit weird
iptables -A block -i lo -j ACCEPT

#Allow LAN on eth0 in entirety
iptables -A block -s 10.0.0.0/16 -i eth0 -j ACCEPT

#Open ports
iptables -A block -p tcp --destination-port 22 -j ACCEPT

#identd
iptables -A block -p tcp --destination-port 113 -j REJECT \
--reject-with tcp-reset

#Catch-all
iptables -A block -j DLOG

#The DLOG (drop+log) chain
iptables -A DLOG -j LOG --log-prefix="catch-all " --log-tcp-options \
--log-ip-options
iptables -A DLOG -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

## set up masquerading as well
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


------------------------------