RE: Iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This helps a bit, but still way out of my league - there is a lot of stuff
to remember. In the many sites, including the one you list below, they talk
of various configurations before ever getting to the rules - is this
necessary?

i.e.

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

Then a bunch of modules are loaded....

Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
something in here. I am assuming these are variables and tie in with the
above - not sure though.

Note: All the other LAN clients have access to the internet via the Linksys
router as does the Linux box. The router is my gateway....

One last thing. Is there a way to block an entire domain i.e. domain.com or
an entire IP block i.e 24.168.1.0/24.

Thanks

> -----Original Message-----
> From: Rob Sterenborg [mailto:rob@xxxxxxxxxxxxxxx] 
> Sent: September 28, 2004 1:25 AM
> To: 'Contact'; netfilter@xxxxxxxxxxxxxxxxxxxx
> Subject: RE: Iptables 
> 
> netfilter-bounces@xxxxxxxxxxxxxxxxxxx wrote:
> > Hi,
> > 
> > I'm new to iptables and having a problem grasping the 
> concept as well 
> > as the syntax. I have read a lot of sites on this but just 
> not getting 
> > it. First - running rules. From what I can gather I need to have an 
> > rc.firewall file with the various rules and such in it - and
> 
> The filename depends on your system and/or what you define to 
> be a startup script.
> 
> > have this started at boot. Am I close?  Second - the 
> syntax. I want to 
> > be able to allow my local LAN full access to the Linux box 
> (Slackware 
> > 10). I also have a website which I want to allow everyone
> 
> Ah. Slack. Yes, if you put a rc.firewall file in /etc/rc.d 
> and do a "chmod 700 rc.firewall" there, it will start at boot 
> (if I read rc.inet2 correctly).
> 
> > - except for a few domains and IP's, SSH which I want to allow only 
> > certain IP's or domains, and Samba which I want to allow 
> only my local 
> > LAN. This is where I'm really confused putting this all 
> together. If 
> > someone could explain this in plain english - or put me on 
> to a really 
> > easy iptables for dummies type site, it would be appreciated.
> > 
> > This box is behind attached to a Linksys router and does 
> not act as a 
> > NAT. It is just a simple little setup on a p166.
> 
> Okay. You want to close your box as much as possible :
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT # because in the beginning it will cause \
>                           # you headaches if you DROP this
> 
> Next, allow related and established connections :
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j 
> ACCEPT iptables -A FORWARD -m state --state 
> RELATED,ESTABLISHED -j ACCEPT
> 
> Allow full access from LAN :
> iptables -A INPUT -i <if_lan> -s <net_lan> -j ACCEPT
> 
> Allow access to website (running on the firewall box I assume) :
> iptables -A INPUT -i <if_inet> -s <ip_to_deny> -p tcp --dport 80 \
>          -j DROP
> ...Repeat for any disallowed host...
> iptables -A INPUT -i <if_inet> -p tcp --dport 80 -j ACCEPT
> 
> Allow access to SSH :
> iptables -A INPUT -i <if_inet> -s <ip_allowed_host> -p tcp \
>          --dport 22 -j ACCEPT
> ...Repeat for any allowed host...
> 
> You already opened up your box for your LAN. That includes 
> Samba so you don't need a rule for this.
> 
> Do you also want internet access for your LAN clients ?
> iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> \
>          -j ACCEPT
> iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> \
>          -j SNAT --to-source <ip_inet>
> 
> 
> A good reading site includes Oskar's :
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> 
> Gr,
> Rob
> 
> 





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux