Firewall on the VM Quick Reference

Here’s how to set up the firewall. Here’s my /etc/iptables.rules:

*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Accept SSH so we can manage the VM
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow ping (Zenoss uses it to see if you’re up).
-A INPUT -p icmp –icmp-type echo-request -j ACCEPT
# Allow SNMP.
-A INPUT -p udp -s 0/0 –sport 1024:65535 –dport 161:162 -j ACCEPT
# Silently block NetBIOS because we don’t want to hear about Windows
-A INPUT -p udp –dport 137:139 -j DROP
-A INPUT -j LOGNDROP
# Drop and log the rest.
-A LOGNDROP -p tcp -m limit –limit 5/min -j LOG –log-prefix “Denied TCP: “ –log-level 7
-A LOGNDROP -p udp -m limit –limit 5/min -j LOG –log-prefix “Denied UDP: “ –log-level 7
-A LOGNDROP -p icmp -m limit –limit 5/min -j LOG –log-prefix “Denied ICMP: “ –log-level 7
-A LOGNDROP -j DROP
COMMIT

More on this later.