Re: [SLUG] iptables

From: bill (billt@ifelse.org)
Date: Sun Apr 29 2001 - 13:48:02 EDT


On Sun, 29 Apr 2001, Douglas W Koobs wrote:

> Hello everyone,
>
> I'm attempting to set up a firewall that follows the "deny everything, except
> what I specify" line of thinking. The specific issue I am working on now
> involves the FORWARD chain. I have set the default policy like this:
>
> iptables -P FORWARD DROP

i don't know why i do this, but instead of setting policies for rules, i
have started letting the policies stay ACCEPT, but the last rule in each
chain is a -j DROP to catch anything that isn't explicitly ACCEPTED by
prev. rules. I like this because since it is a rule and not a policy, i
get to see the counters increment on the drop rule.

> I then specifically DROP some items (ie, packets coming from the Internet
> with a source address of 192.168.0.0/16) Then, to allow me to browse Web
> pages, I put in 4 lines:
>
> iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -p udp --dport 80 -j ACCEPT
> iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
> iptables -A FORWARD -p udp --sport 80 -j ACCEPT

i might be wrong, but i don't think you need udp port 80 for web surfing,
just tcp.

also check into the -m state --state ESTABLISHED option. that may shorten
up the rules a little.

>
> This works, and I have done the same for POP and SMTP. However, I am sure
> there is a cleaner way to do it. I tried using the --port argument, but got error:
>
> unkown arg '--port'
>
> The --port argument is described in the man pages, as being part of a
> "multiport" module. Does this refer to an actual module that needs to be
> compiled into the kernel? And will it simplify the above rules to just 2
> lines, one for tcp and one for udp?

try adding '-m multiport' before the -p tcp and it should work.

g'luck



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:29 EDT