Re: [GnomeMeeting-list] ils server connect with fedora core 1 and cable modem

[Michael Henschel <mhenschel cogeco ca>]

Here's the iptables firewall I've constructed for FC1 and gnomemeeting. 
I'm sure its not perfect, so if anyone has any pointers, please feel
free (I'm just a poor physicist)....

Hope it helps Andy.

Cheers,

Michael

On Tue, 2004-04-06 at 15:14, Andy Ruddock wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Michael Henschel wrote:
> | Thanks for the help!  I finally figured it out.
> |
> | If anyone is looking for a simple FC1 iptables script that allows GM and
> | blocks just about everything else, let me know and I'll post it.
> |
> 
> Please post it. I don't know about anybody else but iptables is always
> obvious when it works, but I always seem to struggle getting it all
> together and in the right order.
> 
> [snip]
> 
> - --
> Andy Ruddock
> - ------------
> Senior Software Developer (andy ruddock minnesund net)
> GPG Key IDs : DSA/EIGamal=0x4E509520 RSA=0x5C38FD43 DSA=0x8B428591
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
> 
> iD8DBQFAcwGRRVHR7k5QlSARAn2cAKCpwi6YxihN5cyi+dsxmDecJjVmugCdEzgx
> 06lJS9F/gZr+Php1dTWmND4=
> =+6H1
> -----END PGP SIGNATURE-----
> _______________________________________________
> GnomeMeeting-list mailing list
> GnomeMeeting-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnomemeeting-list

#!/bin/sh

#
# A simple strict firewall that lets GM 1.0 work but only allows ssh TCP 
# connections otherwise.  Same rules for INPUT and FORWARD packets
# lets the default redhat firewall work after these settings.
#
# if installed in .firewall, then follow these instructions:
#
# as root run .firewall/strict 
# as root run /sbin/service iptables save
#
# Michael Henschel
# 5 April 2004

ETH=eth0
LO_FACE="lo"
LO_IP="127.0.0.1"
/sbin/iptables -N myfirewall

#internal
/sbin/iptables -A myfirewall -p ALL -i $LO_FACE -s $LO_IP  -j ACCEPT
#force new packets to id
/sbin/iptables -A myfirewall -p TCP -s 0/0 ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
#accept known hosts with tx/rx on going
/sbin/iptables -A myfirewall -d 0/0 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT


#ssh
/sbin/iptables -A myfirewall -p TCP -s 0/0 --syn -m state --state NEW --dport 22 -j ACCEPT

#gnomemeeting
/sbin/iptables -A myfirewall -d  0/0 -p UDP  --dport 5000:5007   -j ACCEPT
/sbin/iptables -A myfirewall -d  0/0 -p TCP  --dport 30000:30010 -j ACCEPT
/sbin/iptables -A myfirewall -d  0/0 -p TCP  --dport 1720        -j ACCEPT

#dhcp requests
/sbin/iptables -A myfirewall -d 0/0  -p UDP -i $ETH   --dport 67:68 -j DROP

#echo-request, time exceeded
/sbin/iptables -A myfirewall         -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -A myfirewall         -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#domain,ntp,  
/sbin/iptables -A myfirewall -d 0/0  -p UDP  --dport 53 -j ACCEPT
/sbin/iptables -A myfirewall -d 0/0  -p UDP  --dport 123 -j ACCEPT
#/sbin/iptables -A myfirewall -d 0/0  -p UDP  --dport 2074 -j ACCEPT
#/sbin/iptables -A myfirewall -d 0/0  -p UDP  --dport 4000 -j ACCEPT

#log anything else
/sbin/iptables -A myfirewall -p tcp -j LOG --log-prefix "TCP "
/sbin/iptables -A myfirewall -p udp -j LOG --log-prefix "UDP "
#/sbin/iptables -A myfirewall -p icmp -j LOG --log-prefix "ICMP "

/sbin/iptables -A myfirewall -p icmp --icmp-type any -j ACCEPT

/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -p all -j myfirewall
/sbin/iptables -A INPUT -p all -j RH-Firewall-1-INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -A FORWARD -p all -j myfirewall
/sbin/iptables -A FORWARD -p all -j RH-Firewall-1-INPUT