[TriLUG] IPTables help (long)

Tanner Lovelace lovelace at wayfarer.org
Tue Sep 17 16:40:13 EDT 2002


On Tue, 2002-09-17 at 12:34, Corey Mutter wrote:
> This is rather long, but will get you the relevant parts of the
> iptables script my firewall uses. I'll also throw in some
> explication in bracketed comments. I don't know about the RedHat init
> scripts' use of iptables... this machine is really bare-bones, and so
> it just runs this script. It has a NATed subnet behind it, but I will 
> leave all that stuff out...

Hey cool!  Thanks very much for all the explanations.
I have three questions, though.
 
You have this rule on the nonew chain:

> # New connections are okay on eth1 only
> iptables -A nonew -m state --state NEW -i eth1 -j RETURN

And then have this on the INPUT chain:

> # Anything on eth1 OK
> iptables -A INPUT -i eth1 -j ACCEPT

Are these redundant?  I think I would prefer the second 
one so as to keep the nonew chain clean and to just
make it very explicit that eth1 is a trusted network.

> # Allow SSH to this box from $company NAT address
> iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT

Second question.  I assume I can just remove the -s [ip address]
from the ssh and allow ssh connections from anywhere?

> # [These next rules are not in my script, but you will need them]
> # [One for each allowed server, as many as you like]
> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
> # [End of custom rules for TriLUG]

And, finally, is there anything else I need to do to support
an ftp server setup?  I seem to remember seeing a special module
for that (and for irc too).  Can you talk a bit about those modules?

Thanks much!
Tanner
-- 
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
          Si hoc legere scis, nimium eruditionis habes.




More information about the TriLUG mailing list