We can customize the flow of rules in iptables by creating new custom chains. The flow of rules in iptables follows the sequence of their execution.
To create a custom chain issue this command:
iptables -N SERV
Now, you have to create rules for this chain. Creating new chain just acts like a function in C programs. To call the new chain you have to execute this command.
iptables -A INPUT -j SERV
Now, you have to append the original firewall.sh iptables configuration file, posted in this post.
#!/bin/bash # please verify if the Source Address Verifcation in /etc/sysctl.conf is enabled: #net.ipv4.conf.all.rp_flter = 1 # Define some variables # Location of the binaries IPTABLES="/sbin/iptables" # Loopback Interface LOOPBACK="lo" ## Flush all rules $IPTABLES -F ## Set default policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Creating a custom chain SERV. $IPTABLES -N SERV ## Allow access to the Loopback host, so that you can ping yourself $IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT $IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT ## Incoming external traffic rules # Accept ICMP echo-replay incoming traffic for outgoing PINGs, so that when you # ping other pc your pc don't drop the echo-reply & you can detect alive coms. $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT #calling custom chain $IPTABLES -A INPUT -j SERV ## Accept all established incoming traffic $IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT ## Log all dropped incoming traffic $IPTABLES -A INPUT -j LOG -log-prefix="myLogInput:" ##Rules in custom chain that will be executed when called. #Accepting communication at specific ports. Use command netstat --inet -pln . # If firefox is running on #8008 $IPTABLES -A SERV -p tcp --dport 8008 -j ACCEPT #For allowing ssh to whole world, can create security problem # always allow to a particular ip. $IPTABLES -A SERV -p tcp --dport 22 -j ACCEPT
Posts
No comments:
Post a Comment