# /etc/firewall - configuration file for IP access policies # # Each line of this file represents the arguments that will be passed to # iptables at start-up. Lines beginning with '#' are treated as comments. # # The following sample configuration is very simplistic. Local sysadmins # should make customizations before deploying the firewall policy. For # additional information see the iptables(8) manpage. # Make the default policy not to allow anything in and not to forward # anything, but allow all outbound traffic to pass unrestricted. -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT # Additional configuration examples are shown below. Edit the addresses # and masks to fit your network and uncomment the lines you want to use. # Allow everything in from the loopback network to come in. -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT # Allow everything from the local ethernet network to come in. Be sure # to change the IP address to match your network configuration. # -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT # Allow ICMP (ping) replies. # -A INPUT -p icmp -j ACCEPT # Allow DNS replies from specific name servers to come through. Be sure # to change the DNS server addresses to match your network configuration. # Even if you run a name server on the local host, you must enable this # rule. # -A INPUT -p udp -s 192.168.1.53 --sport 53 --dport 1024:65535 -j ACCEPT # -A INPUT -p udp -s 10.10.10.53 --sport 53 --dport 1024:65535 -j ACCEPT # Allow NTP replies from time server. Be sure to change the IP address # to that of your NTP source. # -A INPUT -p udp -s 10.10.10.123 --sport 123 -j ACCEPT # Allow DNS traffic to come in from anywhere. Enable these if you run a # DNS server on this host. # -A INPUT -p udp --dport 53 -j ACCEPT # -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT # Allow ftp traffic to come in from anywhere. Enable this if you run an # ftp server. # -A INPUT -p tcp --dport 21 -j ACCEPT # Allow web traffic to come in from anywhere. Enable this if you run a # web server. # -A INPUT -p tcp --dport 80 -j ACCEPT # Allow tcp replies from any source above the well-known port range. This # is necessary for clients like lynx and ftp to receive data. # -A INPUT -p tcp --dport 1024:65535 ! --syn -j ACCEPT # Reject, rather than drop, ident requests. This will enable the # requesting host to get on with business rather than having to wait # for a timeout. # -A INPUT -p tcp --dport 113 -j REJECT