Tips

Here are some useful custom rules..

I would like to allow only some IP address to connect to some tcp/udp ports

As this is a simple firewall script, open a port for internet connections mean that everybody on internet may access to it.

For allow only some IP address to access all ports, use (and edit) this :

/sbin/iptables -A JAY_INETIN -s 1.2.3.4 -j ACCEPT

This will allow 1.2.3.4 to access all ports.

For allow only some IP address to access some tcp/udp ports, use (and edit) this :

/sbin/iptables -A JAY_INETIN_TCP -p tcp -s 1.2.3.4 -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

This will allow 1.2.3.4 to access port 21/tcp.
For an UDP port, replace JAY_INETIN_TCP by JAY_INETIN_UDP !



Don't Log the Netbios traffic

If your choice is to log the dropped packets (the good one I think), you probably will see many netbios traffic dropped by the firewall (of course, excepted if you are allowing netbios).

Enable the custom rules option and add these lines to your custom rules file.


IPTABLES=`which iptables`

# Don't Log Netbios
if $IPTABLES -L JAY_LDROP 2>/dev/null 1>&2 ; then
        $IPTABLES -I JAY_LDROP -p tcp --dport 445 -j RETURN
        $IPTABLES -I JAY_LDROP -p udp --dport 137 -j RETURN
        $IPTABLES -I JAY_LDROP -p udp --dport 138 -j RETURN
        $IPTABLES -I JAY_LDROP -p tcp --dport 139 -j RETURN
fi



Say "no thanks" to the 113/tcp authentication's port

Sometimes, you may have some troubles (or some delays) to retreive your mails, to doing some ftp session or whatelse ..
It's because some of these servers try to authenticating you by the auth service on port 113/tcp (see the rfc931 for more details) and your firewall drops the request if don't have open it (because there is not always something on that port). To drop a packet means to ignore it. So the server will waiting for a timeout before doing anything else.

You may ask to your firewall to return a proper 'icmp-port-unreachable' for that port. It will tell to the server "no way", not like a DROP which says nothing.

Enable the custom rules option and add this line to your custom rules file.


IPTABLES=`which iptables`
$IPTABLES -I JAY_INETIN -p tcp --dport 113 -j REJECT