You want to know how to build a firewall on a Linux computer that is running no public services. Just an ordinary PC that may be directly connected to the Internet, or it may be a laptop that travels a lot. You're careful with your application-level security and internal services, but you wisely believe in layered security and want a firewall.

You need to create an iptables script, and to edit the /etc/sysctl.conf file.

First, copy this iptables script, substituting your own IP addresses and interface names, and make it owned by root, mode 0700. In this recipe we'll call it /usr/local/ bin/fw_host:

	#!/bin/sh
	##/usr/local/bin/fw_host
	#iptables firewall script for #a workstation or laptop #chkconfig: 2345 01 99 #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" #Flush all rules, delete all chains $ipt -F $ipt -X $ipt -t nat -F $ipt -t nat -X $ipt -t mangle -F $ipt -t mangle -X #Zero out all counters $ipt -Z $ipt -t nat -Z $ipt -t mangle -Z #basic set of kernel modules $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE #optional for irc and ftp #$mod ip_conntrack_irc #$mod ip_conntrack_ftp #Set default policies #Incoming is deny all, #outgoing is unrestricted $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t ...