[TriLUG] IPTables help (long)
Tue, 17 Sep 2002 17:25:28 -0500 (CDT)
On 17 Sep 2002, Tanner Lovelace wrote:
>Hey cool! Thanks very much for all the explanations.
>I have three questions, though.
>You have this rule on the nonew chain:
>> # New connections are okay on eth1 only
>> iptables -A nonew -m state --state NEW -i eth1 -j RETURN
>And then have this on the INPUT chain:
>> # Anything on eth1 OK
>> iptables -A INPUT -i eth1 -j ACCEPT
>Are these redundant? I think I would prefer the second
>one so as to keep the nonew chain clean and to just
>make it very explicit that eth1 is a trusted network.
The ordering does appear to make the rules redundant.
>> # Allow SSH to this box from $company NAT address
>> iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT
>Second question. I assume I can just remove the -s [ip address]
>from the ssh and allow ssh connections from anywhere?
Yes, that should work.
>> # [These next rules are not in my script, but you will need them]
>> # [One for each allowed server, as many as you like]
>> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
>> iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
>> # [End of custom rules for TriLUG]
>And, finally, is there anything else I need to do to support
>an ftp server setup? I seem to remember seeing a special module
>for that (and for irc too). Can you talk a bit about those modules?
The modules I think you are refering to are ip_conntrack and
ip_conntrack_ftp. I don't know of one for IRC. They are connection
tracking gizmos. Someone else can write about that since I think I don't
have a complete understanding.