iptables script.....

Discussion in 'Linux & BSD' started by Dark Atheist, Aug 30, 2008.

  1. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    on which i think i have dropped the proverbial nad

    #!/bin/bash
    ext_if=eth0
    int_if=eth1
    iptables -F INPUT
    iptables -P INPUT DROP
    iptables -F OUTPUT
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    accept_port="80 443 2010 9000:9000"
    names="some.dns.name1 some.dns.name2 some.dns.name3 some.dns.name4"
    iptables -A INPUT -i $ext_if -j DROP
    iptables -A INPUT -i $int_if -s 164.168.1.1/24 -j ACCEPT
    iptables -A INPUT -i $ext_if -s 192.168.1.1/24 -j ACCEPT
    for ip in $names
    do
    for port in $accept_ports
    do
    iptables -A INPUT -i $ext_if -s $ip --dport $ip --syn -m state --state NEW -j ACCEPT
    done
    done

    is what i believe should give me control about who can access certain things on my server (web fftp)

    thing is since running this script it is also blocking me on the lan too!!!! i cant see web pages or connect to my own ftp :(

    any Sharpe eyed person out there see where i messed up (and no saying well you wrote it is neither a reason nor helpful, it also wont get you reps or a cookie)
     
  2. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    And that once again reminds me why I love pf.
     
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    not helpful :(
     
  4. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    seems it was iptables -A INPUT -i $ext_if -j DROP that line looks like i might have it in the rong place - still least i can connect to my server now, and also shame i have blocked other ports :p still i can add them