Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Check my rc.firewall

Posted on 2004-10-10
11
Medium Priority
?
466 Views
Last Modified: 2010-04-22
Can you guyz check either my firewall script below is correct?...i mean how about the structure? is the structure correct?...thanks


#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="212.111.124.210" <- my static ip

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE


# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
# Anything incoming over your $INT through your gateway will
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51

$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 3000 -j DNAT --to-destination 212.111.124.210
$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 21 -j DNAT --to-destination 212.111.124.210

$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210
$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to
# enable SSH access from anywhere, uncomment the second line only.
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall
0
Comment
Question by:ftpfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 

Expert Comment

by:sykat
ID: 12276447
Hi,

Yes it's quite easy and it'll be woked.

Thanx.
0
 

Author Comment

by:ftpfreak
ID: 12283430
but after i activate it. my lan cannot get internet sharing...seems something wrong with my rc.firewall structure...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12295119
> ..  script below is correct
no, 'cause -o option requires a NIC not an IP.
But I assume that it is the wrong question, should be: is the script below useful (or similar)?, Then the answer is no.
I'd use:
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

your internet from LAN is not reachable 'cause of:
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE
change to
#$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
 $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # assuming that eth0 is your $INT

then check following (see my comment about eth0):
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

I'm not shure what these should do, sounds useless:
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

Also your SNAT and DNAT rules are useless.


0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:ftpfreak
ID: 12304669
if SNAT and DNAT are useless and i remove this $IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT.

my script will be after i remove some line, so how about port fowarding?:

#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth0" <- my static ip

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE


# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

#$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 3000 -j DNAT --to-destination 212.111.124.210
#$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 21 -j DNAT --to-destination 212.111.124.210

#$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i eth0 -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

#$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
#$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall



0
 

Author Comment

by:ftpfreak
ID: 12304680
i just want to open certain port...ntop for port 3000 where i installed in the linux router...and port 80 and port 21 for my webserver and ftp server in lan...

is this script is good enough? is this script if good for server?
0
 

Author Comment

by:ftpfreak
ID: 12307712
sir, i found a script which similiar to my script. i just try to open port 21...at the end of this script, how to do port fowarding to internal lan...i'm no good in manipulate...i also try to scan open port by using this firewall script...and the status said, OPEN PORT AND UNSECURED.....how to make the port secure on this script even the port is actually open?...do you think this script is good?

#!/bin/sh

IPTABLES=/sbin/iptables

DENY_PING="0"
DENY_REDIRECT="0"
BANNED=""
LOGGING="--log-level=5 -m limit --limit 3/minute --limit-burst 3 --log-tcp-sequence"
SYNRATE="-m limit --limit 4/second --limit-burst  10"
PUB_IF="eth0"
PRIV_IF="eth1"
PRIVX_IF="eth2"
LOCAL_SERVICES_TCP="21"
LOCAL_SERVICES_UDP=""
TCP_NO_LOG_DROP="137 138 139 445"       #NOTE: TCP ONLY!
UDP_NO_LOG_DROP="137 138 139 445"       #NOTE: UDP ONLY!


##############################################################################
# Begin Script Status Checks                                                 #
# These test that iptables executable is on the system, and user is logged   #
# in as r00t.                                                                #
##############################################################################
if [ ! -x $IPTABLES ]; then
  die "Fatal Error: Cannot execute IPTABLES ($IPTABLES)"
fi
if [ "$UID" != "0" ]; then
  die "Fatal Error: You MUST be r00t to run this script!"
fi



##############################################################################
# Reset IPTABLES to a "blank page". (delete everything)                      #
##############################################################################
$IPTABLES -F           #delete all rules in all chains
$IPTABLES -X           #delete all user defined chains
$IPTABLES -F INPUT     #get rid of existing rules currently running (INPUT)
$IPTABLES -F OUTPUT    #get rid of existing rules currently running (OUTPUT)
$IPTABLES -F FORWARD   #get rid of existing rules currently running (FORWARD)
$IPTABLES -t filter -F #delete all rules in filter table
$IPTABLES -t filter -X #delete user defined chains in filter table
$IPTABLES -t nat -F    #delete all rules in NAT Table
$IPTABLES -t nat -X    #delete user defined chains in nat table
$IPTABLES -t mangle -F #delete all rules in nat table




##############################################################################
# Set restrictive default policy                                             #
# What we do here is tell the FW "nothing can get through unless i allow it" #
# This allows for much tighter security. I would advise you not to change    #
# these default settings without good reason.                                #
##############################################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


##############################################################################
# Block ALL ICMP echo requests?                                              #
# This will help your machine avoid detection by the average script kiddie.  #
# If set to 1, "pings" will be ignored.                                      #
##############################################################################
if [ "$DENY_PING" == "1" ]; then
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
  echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi


# Accept ICMP redirect messages?
################################
if [ "$DENY_REDIRECT" == "1" ]; then
  echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

# Disable ICMP send_redirect
############################
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
  for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo "1" > $interface
  done
fi


# ICMP Broadcasting protection (smurf amplifier protection)
###########################################################
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi


# Allow Packetforwarding
###########################################################
echo 1 > /proc/sys/net/ipv4/ip_forward


##############################################################################
# SYN Flood Protection                                                       #
# Here we attempt to control the maxium number of inbound connections so as  #
# to help prevent a Denial Of Service Situation. We also enable SYNCOOKIES.  #
##############################################################################
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
$IPTABLES -N SYN_FLOOD
$IPTABLES -A SYN_FLOOD -p tcp --syn $SYNRATE -j RETURN
$IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN
$IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN
$IPTABLES -A SYN_FLOOD -j LOG --log-prefix "IPT: SYN_FLOOD/SYN SCAN: " $LOGGING



##############################################################################
# TCP Flag Checking                                                          #
# We look for invalid combinations of flags set on TCP packets, if any are   #
# found we log the packet and drop it. To do this, we create a TCPINV        #
# table, whose purpose is to log and drop packets passed to it. We also      #
# create a table called TCPINV_CHK, whose purpose is to check first if       #
# incoming datagrams have valid flags set. if not pass to TCPINV.            #
##############################################################################
$IPTABLES -N TCPINV
$IPTABLES -A TCPINV -j LOG --log-prefix "IPT: Invalid TCP: " $LOGGING
$IPTABLES -A TCPINV -j DROP

$IPTABLES -N TCPINV_CHK
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,FIN FIN -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,PSH PSH -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,URG URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags FIN,RST FIN,RST -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL ALL -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL NONE -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL FIN,PSH,URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j TCPINV



##############################################################################
# Connections to drop without logging.                                       #
# Port list from NO_LOG_DROP. If we dont have the specified port open, and   #
# connection attempt is flagged ok, not part of a syn flood etc, we will drop#
# the packet without logging it. Useful for conserving log space. I tend not #
# to bother logging connections to the NETBIOS ports due to the amount of    #
# worms currently circulating the internet that use 137:139 445.             #
##############################################################################
$IPTABLES -N TCP_NO_LOG_DROP
if [ "$TCP_NO_LOG_DROP" != "" ]; then
 for port_num in $TCP_NO_LOG_DROP; do
  $IPTABLES -A TCP_NO_LOG_DROP -p tcp --dport $port_num -j DROP
 done
fi
$IPTABLES -N UDP_NO_LOG_DROP
if [ "$UDP_NO_LOG_DROP" != "" ]; then
 for port_num in $UDP_NO_LOG_DROP; do
  $IPTABLES -A UDP_NO_LOG_DROP -p udp --dport $port_num -j DROP
 done
fi




##############################################################################
# Banned IP's                                                                #
# Looking at the "Banned" variable, we drop all trafic from known "bad"      #
# hosts, who wish our network harm. BANNED_CHK is responsible for checking   #
# if a host is banned, and BANNED_ACT logs and drops packets. If the BANNED  #
# variable is blank, we do not create the rule. This helps boost efficiency. #
##############################################################################
if [ "$BANNED" != "" ]; then
 $IPTABLES -N BANNED_ACT
 $IPTABLES -A BANNED_ACT -j LOG --log-prefix "IPT: BANNED IP: " $LOGGING
 $IPTABLES -A BANNED_ACT -j DROP
 $IPTABLES -N BANNED_CHK
 for blockip in $BANNED; do
  $IPTABLES -A BANNED_CHK -s $blockip -j BANNED_ACT
  $IPTABLES -A BANNED_CHK -d $blockip -j BANNED_ACT
 done
 $IPTABLES -A INPUT -j BANNED_CHK
fi


$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PRIV_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PRIVX_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j TCPINV_CHK
$IPTABLES -A INPUT -j SYN_FLOOD



##############################################################################
# Allowed Local Services                                                     #
# This section defines services that are world accessable on the local box.  #
##############################################################################
$IPTABLES -N LOCAL_TCP
if [ "$LOCAL_SERVICES_TCP" != "" ]; then
 for openports in $LOCAL_SERVICES_TCP; do
  $IPTABLES -A LOCAL_TCP -p tcp --dport $openports -j ACCEPT
 done
fi

$IPTABLES -N LOCAL_UDP
if [ "$LOCAL_SERVICES_UDP" != "" ]; then
 for openports in $LOCAL_SERVICES_UDP; do
  $IPTABLES -A LOCAL_UDP -p udp --dport $openports -j ACCEPT
 done
fi

$IPTABLES -t nat -A POSTROUTING -o $PUB_IF -j MASQUERADE
$IPTABLES -A FORWARD -i $PRIV_IF -j ACCEPT

$IPTABLES -A INPUT -p tcp -j LOCAL_TCP
$IPTABLES -A INPUT -p udp -j LOCAL_UDP
$IPTABLES -A INPUT -p tcp -j TCP_NO_LOG_DROP
$IPTABLES -A INPUT -p udp -j UDP_NO_LOG_DROP
$IPTABLES -A INPUT -j LOG --log-prefix "IPT: INPUT: " $LOGGING
$IPTABLES -A INPUT -j DROP
0
 

Author Comment

by:ftpfreak
ID: 12307870
and here is the nmap result...is the result means the firewall is secure?

Starting nmap 3.70 ( http://www.insecure.org/nmap ) at 2004-10-14 21:20 Pacific
Daylight Time
Initiating SYN Stealth Scan against 212.111.124.210[1660 ports] at 21:20
Discovered open port 21/tcp on 212.111.124.210
SYN Stealth Scan Timing: About 26.47% done; ETC: 21:22 (0:01:23 remaining)
The SYN Stealth Scan took 81.05s to scan 1660 total ports.
Host 212.111.124.210 appears to be up ... good.
Interesting ports on 212.111.124.210:
(The 1659 ports scanned but not shown below are in state: filtered)
PORT   STATE SERVICE
21/tcp open  ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 86.123 seconds
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 12311543
> .. i found a script which similiar to my script. i just try ..
hmm, firewalling is not a copy&paste job, nor is it something to "try". You need to know what you do.
I's suggest that you make yourself used to the concepts of packetfilters first, then read man iptables, then decide which ports and permissions you need, and finally setup iptables yourself.
And it's the hard way, but just finding if port 21 works in dozents of lines is hard too.
Also: port 21 (ftp) is one of the complicated things to do with packetfiltering.
0
 

Author Comment

by:ftpfreak
ID: 12315789
ok i will learn...but do you think the script is correct?...i mean the structure
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12316915
the structure is ok, but see my previous comments
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393270
You might want to use the code from this firewall as a reference:

https://www.unixpages.com/hls

It is compreshensive and should provide you with the examples
you need.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question