unstable.nl's iptables firewall

When it comes to firewalls there are two basic approaches: mostly open and mostly closed. The first approach is easier. You just block certain dangerous things like the NFS ports and the Samba/windows file sharing ports. But it is also less safe.

I chose to go with the mostly closed approach. You block everything on the public ethernet interface, except those few services that you need. I also enabled a few port forwardings to have P2P and Gnome/Netmeeting.

While some people believe it is better to hide as much information as you can so that it cannot be abused by attackers, I don't believe in this ''security by obscurity''. So here it is: the iptables script - do chmod +x firewall and let it run on startup. Note that it requires certain kernel options to be available (eg. iptables support) and you also need the iptables binary, get it from your distribution.


http://iptables-script.dk/index1.php - I started out with a script generated by this site
http://www.hackinglinuxexposed.com/articles/20030703.html - I added some suggestions by this site, most notably to allow SYN and ACK packets.