Security....
James Kosin
jkosin at beta.intcomgrp.com
Wed Oct 27 17:00:50 UTC 2004
Rodolfo J. Paiz wrote:
> <<-- snip -->>
>
>I love it.
>
>
>
I took a simpler approach.
1. Setup iptables with the following
iptables -A INPUT -i lo -j ACCEPT # this allows local loop
interface to always work.
iptables -A INPUT -d xxx.xxx.xxx.xxx -m state --state
RELATED,ESTABLISHED -j ACCEPT # accept connections back to this host
for connections attempted from this host
iptables -A INPUT -j REJECT # this rejects everything else
2. I just add
iptables -I INPUT 3 -d xxx.xxx.xxx.xxx -p tcp -m state --state NEW
-m tcp --dport yyy -j ACCEPT
for each port I want to open up on my server.
Note: xxx.xxx.xxx.xxx gets replaced with the local machine's IP address.
yyy gets replaced with the port number
You can also restrict the source IP address for the packet by including
a -s zzz.zzz.zzz.zzz to the iptables command.
Most clients, #1 above is enough to block all attacks.
James Kosin
More information about the fedora-list
mailing list