Table of Contents
Advertisement
The basic steps performed are as follows:
a) The current iptables configuration is erased.
b) If a customized IP-Filter script exists it is executed and no other actions
are performed.
c) Standard policies are inserted which will drop all traffic not explicitly
allowed to and through the system.
d) Rules are added which explicitly allow network traffic to access
enabled services (e.g. HTTP, SNMP etc.)
e) Rules are added which explicitly allow traffic network traffic access to
serial ports over enabled protocols e.g. Telnet, SSH and raw TCP.
Customizing the IP-Filter:
/etc/config/filter-custom
If the standard system firewall configuration is not adequate for your
needs it can be bypassed safely by creating a file at /etc/config/filter-
custom containing commands to build a specialized firewall. This firewall
script will be run whenever the LAN interface is brought up (including
initially) and will override any automated system firewall settings.
Below is a simple example of a custom script which creates a firewall
using the iptables command. Only incoming connections from computers
on a C-class network 192.168.10.0 will be accepted when this script is
installed at /etc/config/filter-custom (Note that when this script is called
any preexisting chains and rules have been flushed from iptables):
#/bin/sh
# Set default policies to drop any incoming or routable traffic
# and blindly accept anything from the 192.168.10.0 network.
iptables –-policy FORWARD DROP
iptables –-policy INPUT DROP
iptables –-policy OUTPUT ACCEPT
# Allow responses to outbound connections back in.
iptables –-append INPUT \
Instruction Manual
112
Advertisement
Table of Contents
