Previous | Linux Wireless Access Point HOWTO |
Next |
# Example /etc/sysconfig/iptables configuration file
# # Turn on traffic filtering *filter # Set default policies :INPUT DROP [1:44] :FORWARD DROP [0:0] :OUTPUT ACCEPT [27040:2493902] # Accept all traffic from the loopback interface. -A INPUT -i lo -j ACCEPT # Accept legitimate responses to traffic we generate. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept SSH connections from the wired network only. # Change this to your LANs IP network -A INPUT -s 192.168.5.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s ! 192.168.5.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP # Allow ICMP, though there is a case for disabling it on the WLAN interface. -A INPUT -s 192.168.5.0/255.255.255.0 -i eth0 -p icmp -j ACCEPT -A INPUT -s 10.0.0.0/255.0.0.0 -i wlan0 -p icmp -j ACCEPT # Allow inbound DNS requests from the wireless network. -A INPUT -i wlan0 -p udp --dport 53 -j ACCEPT -A INPUT -i wlan0 -p tcp --dport 53 -j ACCEPT # Allow inbound DNS responses from our ISPs DNS servers. # Change these to the IP addresses of your ISPs DNS servers. -A INPUT -s 0.0.0.0 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT -A INPUT -s 0.0.0.0 -i eth0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s 1.1.1.1 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT -A INPUT -s 1.1.1.1 -i eth0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow inbound DHCP from the Local wireless network (note: not from 10.0.0/8) # Change this to the network allocated for your use. -A INPUT -s 10.1.2.0/255.255.255.0 -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT # Allow inbound HTTP from the wireless network. Remove the "#" on the next line to enable. # -A INPUT -s 10.1.2.0/255.255.255.0 -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT # Allow inbound FTP from the entire wireless network. Remove the "#" on the next two lines to enable. # -A INPUT -d 10.1.2.0/255.255.255.0 -p tcp -m tcp --dport 21 -j ACCEPT # -A INPUT -d 10.1.2.1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 21 -j ACCEPT # Allow all related traffic to/from non-privileged ports. -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow all traffic from the LAN to be forwarded to the WLAN. # Change this to your LANs IP network -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth0 -o wlan0 -d 10.0.0.0/255.0.0.0 -j ACCEPT # Forward all legitimate responses to forwarded traffic. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Make it all true. COMMIT # Completed on Thu Jan 30 18:35:03 2003 |
[root@accesspoint root]# service iptables start |
Flushing all current rules and user defined chains:
             [   OK   ]
Clearing all current rules and user defined chains:              [   OK   ] Applying iptables firewall rules:                                          [   OK   ] |
[root@accesspoint root]# lsmod |
ipt_REJECT     3992       0     (autoclean)
iptable_filter    2444       1     (autoclean) ip_tables           15096     3     [ipt_state ipt_REJECT iptable_filter] ipt_state            1080       8     (autoclean) ip_conntrack     27272     1     (autoclean) [ipt_state] |
[root@accesspoint root]# insmod ip_tables |
[root@accesspoint root]# /sbin/iptables -L |
Chain INPUT (policy DROP)
target           prot     opt     source                destination ACCEPT     all       --        anywhere           anywhere ACCEPT     all       --        anywhere           anywhere     state RELATED,ESTABLISHED ACCEPT     tcp      --        192.168.5.0/24   anywhere     tcp dpt:ssh DROP          tcp      --        !192.168.1.0/24 anywhere     tcp dpt:ssh ACCEPT     icmp   --        192.168.5.0/24   anywhere ACCEPT     icmp   --        10.0.0.0/8           anywhere ACCEPT     udp     --        anywhere           anywhere     udp dpt:domain ACCEPT     tcp      --        anywhere           anywhere     tcp dpt:domain ACCEPT     udp     --        0.0.0.0                anywhere     state ESTABLISHED udp spt:domain ACCEPT     tcp      --        0.0.0.0                anywhere     state ESTABLISHED tcp spt:domain ACCEPT     udp     --        1.1.1.1                anywhere     state ESTABLISHED udp spt:domain ACCEPT     tcp      --        1.1.1.1                anywhere     state ESTABLISHED tcp spt:domain ACCEPT     udp     --        10.1.2.0/24        anywhere     udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT     tcp      --        anywhere           anywhere     state RELATED,ESTABLISHED tcp spts:1024:65535 dpts:1024:65535 Chain FORWARD (policy DROP) target           prot     opt      source                destination ACCEPT     all       --        192.168.5.0/24   10.0.0.0/8 ACCEPT     all       --        anywhere           anywhere     state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target           prot     opt      source                destination |
Previous | Home | Next |