[SLUG] iptables

From: Douglas W Koobs (dkoobs@tampabaydsl.com)
Date: Sun Apr 29 2001 - 12:10:44 EDT


Hello everyone,

I'm attempting to set up a firewall that follows the "deny everything, except
what I specify" line of thinking. The specific issue I am working on now
involves the FORWARD chain. I have set the default policy like this:

iptables -P FORWARD DROP

I then specifically DROP some items (ie, packets coming from the Internet
with a source address of 192.168.0.0/16) Then, to allow me to browse Web
pages, I put in 4 lines:

iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p udp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -p udp --sport 80 -j ACCEPT

This works, and I have done the same for POP and SMTP. However, I am sure
there is a cleaner way to do it. I tried using the --port argument, but got error:

unkown arg '--port'

The --port argument is described in the man pages, as being part of a
"multiport" module. Does this refer to an actual module that needs to be
compiled into the kernel? And will it simplify the above rules to just 2
lines, one for tcp and one for udp?

Once I get this forward chain working, I'm gonna begin work on the nat table,
so let me know if you get tired of iptables questions :) Thanks,

Doug



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:12 EDT