Post by John Forkosh
iptables firewall script (or something-else-based firewall script)
to run just before running dhcpd? Thanks again,
The problem is: there is no "one config fits all" or even "most" setup
for that, especially WHEN you're running a dhcp server.
The simplest case is: reject EVERYTHING that is NOT a response to a
local outgoing request and do not forward anything at all, but of
course that means no server functions:
- no webserver (httpd)
- no file server (nfs, smb or likewise)
- no printer server either
- no remote access (ssh and such)
- no dhcp services
- no access at all from wifi devices like smart-phone or tablet
or Virtual Machines
So the default "iptables" config is very much site-dependant as only
YOU know which incoming services should NOT be blocked.
And of course which kernel modules you need for that is dependant too
on whether you're running the "huge" or the "generic" kernel (or maybe
even your own compiled one).
The "default" scripts we were using are between 60 (local "calculation
cluster", not much access from outside) to 130 (workstations) lines
and they could be modified on each and every workstation by additional
local rules. In total we had 18 different rule sets, started by a more
then 150 long "rc.iptables" script.
Just as an example I'll give you the "stop" functionality:
test -r /proc/net/ip_tables_names ||
echo "Packetfiltering using iptables is not enabled."
echo "Turning off packet filtering using iptables ..."
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Flush all chains in both tables
$IPTABLES -F -t nat
$IPTABLES -F -t filter
# Delete all User-specified chains
$IPTABLES -X -t nat
$IPTABLES -X -t filter
# Reset all IPTABLES counters
$IPTABLES -L -n
(and this was pre-IPv6 networking, so it only does IPv4).
"nat" is the local network, i.e. wifi, "filter" the Internet one.
PS: the variable IPTABLES is the full pathname of the iptables
executable, often /usr/sbin/iptables (but as it can change we'd
rather do it with a single definition).