Script Firewall for home NFS LAN on router

Parent: Firewall

I am running Fedora (FC1) on a system connected by a hardware router to DSL and two other PC's in my home, where I use NFS for data transfer. I trust nothing on the internet and everything on the three computers. Therefor, I want to set up my iptables to accept any new INPUT from these three computers and only input from established sessions from anywhere else.

I had a hard time figuring out what the iptables -L output corresponding to a script is to construct the script, so here is the output corresponding to the script below:


 * [root@localhost root]# iptables -L
 * Chain INPUT (policy DROP)
 * target    prot opt source               destination
 * ACCEPT    all  --  FrayneLaptop         anywhere
 * ACCEPT    all  --  asus                 anywhere
 * ACCEPT    all  --  localhost.localdomain  anywhere
 * ACCEPT    all  --  anywhere             anywhere            state :RELATED,ESTABLISHED


 * Chain FORWARD (policy DROP)
 * target    prot opt source               destination


 * Chain OUTPUT (policy ACCEPT)
 * target    prot opt source               destination
 * [root@localhost root]#

The first time I tried, I destroyed the GUI desktop by neglecting to put in the lo line. If you make a similar mistake, you can use Ctrl-Alt-F1 to go into console mode, logon as root, execute the following to disable the firewall at boot, and reboot with no firewall to fix the problem.


 * iptables -A INPUT -j ACCEPT

To use the script, save it in a .sh file, say /home/tom/Tom-iptables.sh, make it executable and execute it by executing as root:


 * chmod +x /home/tom/Tom-iptables.sh
 * /home/tom/Tom-iptables.sh

Script Firewall for home NFS LAN on router

 * #!/bin/sh
 * #/home/tom/Tom-iptables.sh
 * # Clear out the old firewall by running the following as root:


 * iptables -F
 * iptables -X


 * #Setup the new firewall:


 * #Accept anything from the two other computers on the LAN
 * iptables -A INPUT -j ACCEPT -s FrayneLaptop
 * iptables -A INPUT -j ACCEPT -s asus


 * #Accept anything from the local computer (needed to run the GUI desktop)
 * iptables -A INPUT -j ACCEPT -i lo -s 127.0.0.1


 * #Accept related packets from established sessions
 * iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED


 * #Accept any output packets
 * iptables -P OUTPUT ACCEPT


 * #Drop all other input packets
 * iptables -P INPUT DROP
 * iptables -P FORWARD DROP


 * # Add the following line to /etc/sysconfig/network to stop the scripts from
 * # modifying your custom firewall (I did not):


 * # FIREWALL_MODS=no


 * # Finally you save your firewall configuration to /etc/sysconfig/iptables and
 * #enable it to (in Fedora) to survive reboot with:


 * service iptables save
 * chkconfig iptables on