# Sample iptables Firewall configuration (IPv4 only; ip6tables file is similar): # On a Red Hat like system, this file should be named /etc/sysconfig/iptables. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Create my own chains: :LOGDROP - [0:0] :RULZ - [0:0] # Make the system use my one chain for both incoming and forwarded traffic: -A INPUT -j RULZ -A FORWARD -j RULZ # Setup LOGDROP target: -A LOGDROP -j LOG -A LOGDROP -j DROP # Standard "holes": -A RULZ -i lo -j ACCEPT -A RULZ -p icmp --icmp-type any -j ACCEPT -A RULZ -p 50 -j ACCEPT -A RULZ -p 51 -j ACCEPT -A RULZ -m state --state ESTABLISHED,RELATED -j ACCEPT # Email service (SMTP, POP, IMAP, POPS, IMAPS) holes: #-A RULZ -m state --state NEW -p tcp --dport 25 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 110 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 143 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 995 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 993 -j ACCEPT # Web service holes: #-A RULZ -m state --state NEW -p tcp --dport 80 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 443 -j ACCEPT # SSH hole: -A RULZ -m state --state NEW -p tcp --dport 22 -j ACCEPT # DNS service holes: #-A RULZ -m state --state NEW -p udp --dport 53 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 53 -j ACCEPT # Samba holes: #-A RULZ -m state --state NEW -p udp --dport 137 -j ACCEPT #-A RULZ -m state --state NEW -p udp --dport 138 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 139 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 445 -j ACCEPT # NFS holes: #-A RULZ -m state --state NEW -p tcp --dport 111 -j ACCEPT #-A RULZ -m state --state NEW -p tcp --dport 2049 -j ACCEPT #-A RULZ -m state --state NEW -p udp --dport 111 -j ACCEPT #-A RULZ -m state --state NEW -p udp --dport 2049 -j ACCEPT # Reject (and optionally log) any other inbound traffic: #-A RULZ -j LOG -A RULZ -j REJECT --reject-with icmp-host-prohibited # Egress filtering rules (if any): # Drop all outbound packets that claim not to be from me: # (Note: change theNIC name and IP address appropriately.) -A OUTPUT -o eth0 -s ! 10.41.255.11 -j DROP -A OUTPUT -o lo -p all -j ACCEPT -A OUTPUT -m state --state RELATED, ESTABLISHED -j ACCEPT #Allow outgoing web: -A OUTPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT #Allow outgoing DNS queries: -A OUTPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p tcp --dport 53 -j ACCEPT # Drop everything not permitted above: # (Comment out to permit all outbound traffic.) #-A OUTPUT -j LOGDROP COMMIT