Adjust iptables to only inbound syn connections
Hi, I need some help. I'm trying to adjust the firewall to only inbound syn connections. To Allow all home subnets access to port 53 both tcp/udp but deny the rest.
Thx :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited |
This will do what you need, it's not in Redhat's iptables script format, but you'll get the idea.
# Variables IPADDR = "Your IP address" HOME_SUBNET = "192.168.1.0/24" # Specify your home subnet here. # Removing existing rules iptables --flush iptables -t nat --flush iptables -t mangle --flush # Set the default policy for the filter table to DROP iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP # Allowing unlimited trafic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Put this inside conditional, just in case connection tracking is not enabled in kernel if [ "$CONNECTION_TRACKING" = "1" ]; then # Allowing established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT fi # Allowing all traffic to port 53 from HOME_SUBNET iptables -A INPUT -i eth0 -d $IPADDR --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -s $IPADDR --sport 53 -j ACCEPT |
All times are GMT -5. The time now is 07:55 AM. |