[TriLUG] IPTables help (long)

Ilan Volow listboy at clarux.com
Wed Sep 18 04:10:31 EDT 2002


On Tue, 17 Sep 2002 17:25:28 -0500 (CDT)
Jeff Jackowski <jeffj1 at hiwaay.net> wrote:

> On 17 Sep 2002, Tanner Lovelace wrote:
> 
> >Hey cool!  Thanks very much for all the explanations.
> >I have three questions, though.
> > 
> >You have this rule on the nonew chain:
> >
> >> # New connections are okay on eth1 only
> >> iptables -A nonew -m state --state NEW -i eth1 -j RETURN
> >
> >And then have this on the INPUT chain:
> >
> >> # Anything on eth1 OK
> >> iptables -A INPUT -i eth1 -j ACCEPT
> >
> >Are these redundant?  I think I would prefer the second 
> >one so as to keep the nonew chain clean and to just
> >make it very explicit that eth1 is a trusted network.
> 
> The ordering does appear to make the rules redundant.
> 
> >> # Allow SSH to this box from $company NAT address
> >> iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22
> >> -j ACCEPT
> >
> >Second question.  I assume I can just remove the -s [ip address]
> >from the ssh and allow ssh connections from anywhere?
> 
> Yes, that should work.
> 
> >> # [These next rules are not in my script, but you will need them]
> >> # [One for each allowed server, as many as you like]
> >> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j
> >> ACCEPT iptables -A INPUT -i eth0 -p udp --dport [insert port here]
> >> -j ACCEPT# [End of custom rules for TriLUG]
> >
> >And, finally, is there anything else I need to do to support
> >an ftp server setup?  I seem to remember seeing a special module
> >for that (and for irc too).  Can you talk a bit about those modules?
> 
> The modules I think you are refering to are ip_conntrack and
> ip_conntrack_ftp. I don't know of one for IRC. They are connection
> tracking gizmos. Someone else can write about that since I think I
> don't have a complete understanding.
> 

ip_conntrack_irc

As long as we're on the subject of iptables, I seriously suggest to
anyone who is new to iptables (who has $49.99 that they were originally
planning to spend on beer) to get "Linux Firewalls" Second Edition by
Robert Ziegler. I've found it invaluable for learning iptables (the
thorough examples really help), and consider it to be well worth the
money.

--Ilan 



More information about the TriLUG mailing list