-   Linux - Security (
-   -   Adjust iptables to only inbound syn connections (

guga0001 04-07-2011 02:48 PM

Adjust iptables to only inbound syn connections
Hi, I need some help. I'm trying to adjust the firewall to only inbound syn connections. To Allow all home subnets access to port 53 both tcp/udp but deny the rest.


:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

amonamarth 04-07-2011 07:02 PM

This will do what you need, it's not in Redhat's iptables script format, but you'll get the idea.

# Variables
IPADDR = "Your IP address"
HOME_SUBNET = "" # Specify your home subnet here.

# Removing existing rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set the default policy for the filter table to DROP
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Allowing unlimited trafic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Put this inside conditional, just in case connection tracking is not enabled in kernel
if [ "$CONNECTION_TRACKING" = "1" ]; then
# Allowing established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowing all traffic to port 53 from HOME_SUBNET
iptables -A INPUT -i eth0 -d $IPADDR --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $IPADDR --sport 53 -j ACCEPT

All times are GMT -5. The time now is 05:11 PM.