[TriLUG] IPTables help (long)
Tanner Lovelace
lovelace at wayfarer.org
Tue Sep 17 16:40:13 EDT 2002
On Tue, 2002-09-17 at 12:34, Corey Mutter wrote:
> This is rather long, but will get you the relevant parts of the
> iptables script my firewall uses. I'll also throw in some
> explication in bracketed comments. I don't know about the RedHat init
> scripts' use of iptables... this machine is really bare-bones, and so
> it just runs this script. It has a NATed subnet behind it, but I will
> leave all that stuff out...
Hey cool! Thanks very much for all the explanations.
I have three questions, though.
You have this rule on the nonew chain:
> # New connections are okay on eth1 only
> iptables -A nonew -m state --state NEW -i eth1 -j RETURN
And then have this on the INPUT chain:
> # Anything on eth1 OK
> iptables -A INPUT -i eth1 -j ACCEPT
Are these redundant? I think I would prefer the second
one so as to keep the nonew chain clean and to just
make it very explicit that eth1 is a trusted network.
> # Allow SSH to this box from $company NAT address
> iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT
Second question. I assume I can just remove the -s [ip address]
from the ssh and allow ssh connections from anywhere?
> # [These next rules are not in my script, but you will need them]
> # [One for each allowed server, as many as you like]
> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
> # [End of custom rules for TriLUG]
And, finally, is there anything else I need to do to support
an ftp server setup? I seem to remember seeing a special module
for that (and for irc too). Can you talk a bit about those modules?
Thanks much!
Tanner
--
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
Si hoc legere scis, nimium eruditionis habes.
More information about the TriLUG
mailing list