Thank you. I apologize for sending something that could be read. There are more examples in there that I had commented out. Anyway, here is my working iptables-save. If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be. TIA.
Steve
# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@5-cent.us m.roth@5-cent.us wrote:
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos