2.14.1 ProblemYou want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services. 2.14.2 SolutionSuppose your services are www, ssh, and smtp. For iptables : # iptables -F INPUT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT # iptables -A INPUT -j LOG -m limit # iptables -A INPUT -j REJECT For ipchains: # ipchains -F input # ipchains -A input -i lo -j ACCEPT # ipchains -A input -p tcp --dport www -j ACCEPT # ipchains -A input -p tcp --dport ssh -j ACCEPT # ipchains -A input -p tcp --dport smtp -j ACCEPT # ipchains -A input -l -j REJECT 2.14.3 DiscussionLocal connections from your own host arrive via the loopback interface. 2.14.4 See Alsoiptables(8), ipchains(8). |