"iptables -A INPUT -i lo -j ACCEPT"
On place I was reading it is needed for loop back. Initially I thought this meant that Putty and WinSCP (which I am using) may be using it to check the signals they are sending. I understood this until I read that this command is for local host only. It went on to say "Suppose we have 2 separate interfaces, eth0 which is our internal LAN connection and ppp0 dialup modem (or maybe eth1 for a nic) which is our external internet connection. We may want to allow all incoming packets on our internal LAN but still filter incoming packets on our external internet connection. We could do this as follows:"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
then it went on to say "But be very careful - if we were to allow all packets for our external internet interface (for example, ppp0 dialup modem):"
iptables -A INPUT -i ppp0 -j ACCEPT
we would have effectively just disabled our firewall!
So from the above am I correct in assuming I should be using this (comments after the commands are my assumptions - or guesses). The confusion is one says it is for loop back yet the last statement says it could disable the firewall (implying that I would be thinking I have a firewall but I in fact do not).
iptables -A INPUT -i lo -j ACCEPT #loop back for local host just in case the host provider wants to communicate with my VPS across their intranet
iptables -A INPUT -i eth1 -j ACCEPT #loop back for any internet connections coming from a computer using a nic card.
If I ran the script below and it stopped any functions I was planning on running these two commands to clear it so everything works again.
iptables -P INPUT ACCEPT
Code: Select all
#!/bin/bash # # MyFireWall script # # Basic Website Criteria: # PHP, MySql, Apache driven web pages with file down load and upload. # FTP is turned off and everything is working fine # Putty and WinSCP is used. # No incoming mail. Only outgoing mail with Postfix # # Created with http://wiki.centos.org/HowTos/Network/IPTables # Created with http://articles.slicehost.com/assets/2007/9/4/iptables.txt # created with https://help.ubuntu.com/community/IptablesHowTo # # #If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server. iptables -P INPUT ACCEPT # # # Flush all current rules from iptables - We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules. iptables -F # # # Set access for localhost # use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally # So this rule will allow all incoming packets destined for the localhost interface to be accepted. # This is generally required as many software applications expect to be able to communicate with the localhost adaptor. # Allows all loopback (lo0) traffic iptables -A INPUT -i lo -j ACCEPT # # # Accept packets belonging to established and related connections # we are adding (-A) it to the INPUT chain. # Here we're using the -m switch to load a module (state). # The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. # NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system. # ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # # Here we add a rule allowing SSH connections over tcp port 22. - By default SSH uses port 22 and again uses the tcp protocol. # So if we want to allow remote logins, we would need to allow tcp connections on port 22 Putty # This is essential when working on remote servers via SSH to prevent locking yourself out of the system iptables -A INPUT -p tcp --dport 22 -j ACCEPT # # # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # # # Allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # # # log iptables denied calls iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # # # Set default policies for INPUT, FORWARD and OUTPUT chains # The -P switch sets the default policy on the specified chain. # So now we can set the default policy on the INPUT chain to DROP. # This means that if an incoming packet does not match one of the following rules it will be dropped. # If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point. iptables -P INPUT DROP # # # set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets passing through our computer. iptables -P FORWARD DROP # # # Set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users). iptables -P OUTPUT ACCEPT # # # Save settings - the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded: # This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables. # Upon reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command. /sbin/service iptables save # # # List rules - we can list (-L) the rules we've just added to check they've been loaded correctly. -v means verbose iptables -L -v