[TriLUG] IPTables help

Tanner Lovelace lovelace at wayfarer.org
Mon Sep 16 14:33:47 EDT 2002


Hi folks,

I'm sure some of you out there are iptables experts. :-)

Right now the trilug machines are using ipchains based firewall
setups.  We would really prefer to switch these to iptables,
primarily because of the added benefits that come with 
connection tracking.  Unfortunately, it doesn't seem to be
a simple subject to figure out.  It doesn't help that every 
single example you can find on the net assumes you're either
acting as a router (forwarding) or doing NAT (neither of 
which we want to do.  So, I'm coming to the list for help 
instead.

So, here's what we want to do.

1. We have an internal network on eth1 that is trusted.  Everything
   on that network should be just accepted.
2. Anything part of a connection that we originated should be 
   accepted.
3. Certain services (i.e. http, ftp, dns, mail, kerberos, ldap, etc..)
   should be accepted.
4. Most everything else should be dropped (and optionally logged).

This sounds like it should be easy.  Can anyone provide me
with an easy, well commented, example that I can use with the
standard redhat 7.3 iptables script?

Thanks in advance,
Tanner Lovelace
-- 
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
          Si hoc legere scis, nimium eruditionis habes.




More information about the TriLUG mailing list