Visit the LQ Articles and Editorials section
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-10-2011, 07:49 AM   #1
LQ Newbie
Registered: Aug 2010
Posts: 4

Rep: Reputation: 0
Lightbulb Need help verifying iptables rules for network security


I need help with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.

LAN="eth0 eth1"
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Filter traffic #
# Set default policies for all three default chains
iptables -P INPUT DROP
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragment packets
iptables -A INPUT -f -j DROP
# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block spoofing
iptables -A INPUT ! -i lo -s -j DROP
iptables -A OUTPUT ! -o lo -s -j DROP
iptables -A INPUT -i $WAN -s $RANGE -j DROP
iptables -A OUTPUT -o $WAN -s $RANGE -j DROP
# Drop bad packets
iptables -A INPUT -m state --state INVALID -j DROP
# Drop packets routed from outside
iptables -A FORWARD -i $WAN -o $WAN -j DROP
# Routing traffic #
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
# Allow internal traffic
for if in $LAN; do
        iptables -A INPUT -i $if -j ACCEPT
# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.

Thanks for all the help.
Old 03-10-2011, 10:46 AM   #2
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
You should put in the following rules (assuming you run avahi-daemon to publish and find printers or other resources)

iptables -A INPUT -p udp -s --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -d -j ACCEPT


iptables, network, routing

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
Network Attack seems to ignore my iptables rules grpprod Linux - Security 5 05-04-2007 11:29 PM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM

All times are GMT -5. The time now is 03:35 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration