Script Firewall for home NFS LAN on router

From LQWiki
Jump to: navigation, search

Parent: Firewall#Firewall_scripts/console_apps

I am running Fedora (FC1) on a system connected by a hardware router to DSL and two other PC's in my home, where I use NFS for data transfer. I trust nothing on the internet and everything on the three computers. Therefor, I want to set up my iptables to accept any new INPUT from these three computers and only input from established sessions from anywhere else.

I had a hard time figuring out what the iptables -L output corresponding to a script is to construct the script, so here is the output corresponding to the script below:

[root@localhost root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- FrayneLaptop anywhere
ACCEPT all -- asus anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- anywhere anywhere state :RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost root]#


The first time I tried, I destroyed the GUI desktop by neglecting to put in the lo line. If you make a similar mistake, you can use Ctrl-Alt-F1 to go into console mode, logon as root, execute the following to disable the firewall at boot, and reboot with no firewall to fix the problem.

iptables -A INPUT -j ACCEPT

To use the script, save it in a .sh file, say /home/tom/Tom-iptables.sh, make it executable and execute it by executing as root:

chmod +x /home/tom/Tom-iptables.sh
/home/tom/Tom-iptables.sh


Script Firewall for home NFS LAN on router

#!/bin/sh
#/home/tom/Tom-iptables.sh
# Clear out the old firewall by running the following as root:
iptables -F
iptables -X
#Setup the new firewall:
#Accept anything from the two other computers on the LAN
iptables -A INPUT -j ACCEPT -s FrayneLaptop
iptables -A INPUT -j ACCEPT -s asus
#Accept anything from the local computer (needed to run the GUI desktop)
iptables -A INPUT -j ACCEPT -i lo -s 127.0.0.1
#Accept related packets from established sessions
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
#Accept any output packets
iptables -P OUTPUT ACCEPT
#Drop all other input packets
iptables -P INPUT DROP
iptables -P FORWARD DROP


# Add the following line to /etc/sysconfig/network to stop the scripts from
# modifying your custom firewall (I did not):
# FIREWALL_MODS=no
# Finally you save your firewall configuration to /etc/sysconfig/iptables and
#enable it to (in Fedora) to survive reboot with:
service iptables save
chkconfig iptables on