-
Notifications
You must be signed in to change notification settings - Fork 2
Sysadmin grodoudou firewall 07062012
Yannouk edited this page Jul 5, 2012
·
1 revision
- user : root
- host : grodoudou.seizam.com
- date : 06/07/12 19:08
- curpath : /home/yannouk
- Edit /etc/iptables.rules, see [1]
- Edit /etc/network/if-post-down.d/iptables-save, see [2]
[email protected]# chmod +x /etc/network/if-post-down.d/iptables-save
- Edit /etc/network/if-pre-up.d/iptables-load, see [3]
[email protected]# chmod +x /etc/network/if-pre-up.d/iptables-load
- Load rules now
[email protected]# /etc/network/if-pre-up.d/iptables-load [email protected]# iptables -L -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 62 4664 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT all -- lo any anywhere anywhere 3 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 4 0 0 ACCEPT icmp -- eth0 any 176.31.225.250 anywhere 5 0 0 ACCEPT tcp -- eth0 any cache.ovh.net anywhere tcp dpt:ssh 6 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:65422 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 32 packets, 3216 bytes) num pkts bytes target prot opt in out source destination
- [1] Edit /etc/iptables.rules
# Generated by iptables-save v1.4.8 on Sat Jun 9 23:05:22 2012 *raw :PREROUTING ACCEPT [104947:58849083] :OUTPUT ACCEPT [116446:25644513] COMMIT # Completed on Sat Jun 9 23:05:22 2012 # Generated by iptables-save v1.4.8 on Sat Jun 9 23:05:22 2012 *nat :PREROUTING ACCEPT [7950:1248157] :INPUT ACCEPT [5012:372560] :OUTPUT ACCEPT [34655:6369055] :POSTROUTING ACCEPT [34655:6369055] COMMIT # Completed on Sat Jun 9 23:05:22 2012 # Generated by iptables-save v1.4.8 on Sat Jun 9 23:05:22 2012 *mangle :PREROUTING ACCEPT [104947:58849083] :INPUT ACCEPT [104947:58849083] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [116446:25644513] :POSTROUTING ACCEPT [116446:25644513] COMMIT # Completed on Sat Jun 9 23:05:22 2012 # Generated by iptables-save v1.4.8 on Sat Jun 9 23:05:22 2012 *filter :INPUT DROP [6:1432] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [180:32222] [90934:57193636] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [5888:399526] -A INPUT -i lo -j ACCEPT [118:6308] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT [3018:253512] -A INPUT -s 176.31.225.250/32 -i eth0 -p icmp -j ACCEPT [0:0] -A INPUT -s 213.186.50.100/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT [1:60] -A INPUT -i eth0 -p tcp -m tcp --dport 65422 -j ACCEPT COMMIT # Completed on Sat Jun 9 23:05:22 2012
- [2] Edit /etc/network/if-post-down.d/iptables-save
--- old 2012-06-07 19:16:42.000000000 +0200 +++ new 2012-06-07 19:17:09.000000000 +0200 @@ -0,0 +1,3 @@ +#!/bin/sh +iptables-save -c > /etc/iptables.rules +exit 0
- [3] Edit /etc/network/if-pre-up.d/iptables-load
--- old 2012-06-07 19:18:26.000000000 +0200 +++ new 2012-06-07 19:18:58.000000000 +0200 @@ -0,0 +1,3 @@ +#!/bin/sh +iptables-restore < /etc/iptables.rules +exit 0