Re: [SLUG] iptables

From: Douglas W Koobs (dkoobs@tampabaydsl.com)
Date: Sun Apr 29 2001 - 16:48:23 EDT

Next message: Jim Lange: "Re: [SLUG] Want a Cheap Linux Box?????"
Previous message: Glen Canaday: "Re: [SLUG] Participations"
In reply to: bill: "Re: [SLUG] iptables"
Next in thread: Larry Sanders: "Re: [SLUG] iptables"
Reply: Larry Sanders: "Re: [SLUG] iptables"
Reply: Derek Glidden: "Re: [SLUG] iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks!! The -m multiport did the trick, the script is mush shorter now:)
I commented out the line for -p udp on port 80, and can still surf, too.
Jeez, how did I get along without SLUG? More questions on the way...

Doug

On Sunday 29 April 2001 13:48, you wrote:
> On Sun, 29 Apr 2001, Douglas W Koobs wrote:
> > Hello everyone,
> >
> > I'm attempting to set up a firewall that follows the "deny everything,
> > except what I specify" line of thinking. The specific issue I am working
> > on now involves the FORWARD chain. I have set the default policy like
> > this:
> >
> > iptables -P FORWARD DROP
>
> i don't know why i do this, but instead of setting policies for rules, i
> have started letting the policies stay ACCEPT, but the last rule in each
> chain is a -j DROP to catch anything that isn't explicitly ACCEPTED by
> prev. rules. I like this because since it is a rule and not a policy, i
> get to see the counters increment on the drop rule.
>
> > I then specifically DROP some items (ie, packets coming from the
> > Internet with a source address of 192.168.0.0/16) Then, to allow me to
> > browse Web pages, I put in 4 lines:
> >
> > iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> > iptables -A FORWARD -p udp --dport 80 -j ACCEPT
> > iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
> > iptables -A FORWARD -p udp --sport 80 -j ACCEPT
>
> i might be wrong, but i don't think you need udp port 80 for web surfing,
> just tcp.
>
> also check into the -m state --state ESTABLISHED option. that may shorten
> up the rules a little.
>
> > This works, and I have done the same for POP and SMTP. However, I am sure
> > there is a cleaner way to do it. I tried using the --port argument, but
> > got error:
> >
> > unkown arg '--port'
> >
> > The --port argument is described in the man pages, as being part of a
> > "multiport" module. Does this refer to an actual module that needs to be
> > compiled into the kernel? And will it simplify the above rules to just 2
> > lines, one for tcp and one for udp?
>
> try adding '-m multiport' before the -p tcp and it should work.
>
> g'luck

Next message: Jim Lange: "Re: [SLUG] Want a Cheap Linux Box?????"
Previous message: Glen Canaday: "Re: [SLUG] Participations"
In reply to: bill: "Re: [SLUG] iptables"
Next in thread: Larry Sanders: "Re: [SLUG] iptables"
Reply: Larry Sanders: "Re: [SLUG] iptables"
Reply: Derek Glidden: "Re: [SLUG] iptables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:59 EDT