Is this a gateway/firewall?
Do you have more than one network interface?
What exactly are you trying to do?
If it's just a workstation, then try this BASH script:
Code:
#!/bin/bash
IPT="/sbin/iptables" # Location of iptables command
LAN="192.168.0.0/24" # IP-range of LAN
IF0="eth0" # Name of interface
$IPT -F # Flush all rules
$IPT -t nat -F # Flush nat table (only neccessary on a gateway/firewall with nat'ing)
$IPT -X # Delete any chains present
$IPT -Z # Zero counters in all chains
$IPT -P INPUT DROP # Set default INPUT policy to DROP. This will be used on all attempted connections without a specific rule.
$IPT -P OUTPUT ACCEPT # Allow all outbound connections. This is so that ALL programs locally can connect as needed to the internet etc.
# Already established connections, and connections initiated from your PC, will be allowed:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTBOUND connections will be allowed:
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Everything to and from loopback interface has to be allowed:
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# We also want to allow everyhing from the LAN to be able to connect:
$IPT -A INPUT -i $IF0 -s $LAN -j ACCEPT
# If you want certain ports open for everyone (ex. If you have an Apache server or SSHd running on this computer), then add them here:
$IPT -A INPUT -i $IF0 -p tcp --dport 22 -j ACCEPT # Allows all TCP connections to port 80
$IPT -A INPUT -i $IF0 -p tcp --dport 80 -j ACCEPT # Same as above, but for port 22 (SSHd)
# The next few lines will enable logging of dropped packages (might not work, depending on your kernel configuration):
$IPT -A INPUT -j LOG --log-prefix "INPUT_DROP: "
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Copy and paste the above code into an empty file. Call it whatever you like, then "chmod +x <name_of_file>".
Now you're ready to run it:
./<name_of_file> # (In a shell/console/terminal
If you get errors, they're probably related to kernel configuration...
Also, if you're configuring a firewall/gateway, you need some more lines in the above script (to enable forwarding, masquerading and setting up internal and external interfaces etc...).
One thing to remember is that when a package comes to your interface, it goes through all rules until it finds one that applies.
This means that the order you add rules means everything.
An example:
Code:
iptables -A INPUT -i eth0 -s 192.168.0.4 -j DROP # Drop everything coming from 192.168.0.4
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT # ACCEPT all from LAN 192.168.0.0/24
# Even though you've basically allowed everything from the LAN, 192.168.0.4 will always be blocked.
Another example:
Code:
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT # ACCEPT all from LAN 192.168.0.0/24
iptables -A INPUT -i eth0 -s 192.168.0.4 -j DROP # Drop everything coming from 192.168.0.4
# The second rule will NEVER be used, as you have ACCEPTed everything from the LAN before the DROP rule
Hope this helps?
iptables
