Re: [SLUG] iptables

From: Larry Sanders (lsanders@flash.net)
Date: Sun Apr 29 2001 - 22:50:08 EDT


Could you please post your full configuration file for iptables?
And hopefully any comments.
Thanks. I just received my box set of RH7.1 and want to use it.
Larry :-)

----- Original Message -----
From: Douglas W Koobs <dkoobs@tampabaydsl.com>
To: <slug@nks.net>
Sent: Sunday, April 29, 2001 4:48 PM
Subject: Re: [SLUG] iptables

> Thanks!! The -m multiport did the trick, the script is mush shorter now:)
> I commented out the line for -p udp on port 80, and can still surf, too.
> Jeez, how did I get along without SLUG? More questions on the way...
>
> Doug
>
> On Sunday 29 April 2001 13:48, you wrote:
> > On Sun, 29 Apr 2001, Douglas W Koobs wrote:
> > > Hello everyone,
> > >
> > > I'm attempting to set up a firewall that follows the "deny everything,
> > > except what I specify" line of thinking. The specific issue I am
working
> > > on now involves the FORWARD chain. I have set the default policy like
> > > this:
> > >
> > > iptables -P FORWARD DROP
> >
> > i don't know why i do this, but instead of setting policies for rules, i
> > have started letting the policies stay ACCEPT, but the last rule in each
> > chain is a -j DROP to catch anything that isn't explicitly ACCEPTED by
> > prev. rules. I like this because since it is a rule and not a policy, i
> > get to see the counters increment on the drop rule.
> >
> > > I then specifically DROP some items (ie, packets coming from the
> > > Internet with a source address of 192.168.0.0/16) Then, to allow me to
> > > browse Web pages, I put in 4 lines:
> > >
> > > iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> > > iptables -A FORWARD -p udp --dport 80 -j ACCEPT
> > > iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
> > > iptables -A FORWARD -p udp --sport 80 -j ACCEPT
> >
> > i might be wrong, but i don't think you need udp port 80 for web
surfing,
> > just tcp.
> >
> > also check into the -m state --state ESTABLISHED option. that may
shorten
> > up the rules a little.
> >
> > > This works, and I have done the same for POP and SMTP. However, I am
sure
> > > there is a cleaner way to do it. I tried using the --port argument,
but
> > > got error:
> > >
> > > unkown arg '--port'
> > >
> > > The --port argument is described in the man pages, as being part of a
> > > "multiport" module. Does this refer to an actual module that needs to
be
> > > compiled into the kernel? And will it simplify the above rules to just
2
> > > lines, one for tcp and one for udp?
> >
> > try adding '-m multiport' before the -p tcp and it should work.
> >
> > g'luck



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:59:54 EDT