IPTABLES is driving me crazy!!! :P
Jeremy Fowler
jfowler at westrope.com
Fri Dec 20 16:49:23 CST 2002
When you set a chain's policy to DROP all packets are dropped, unless you add a
specific rule to accept those certain types of packets. So if you want Internet
access, you have to accept those types of packet - specifically outgoing TCP
packets with a destination port of 80 and then add a rule for the state engine
to accept the incoming reply packets.
So
# Drop *all* packets going across the FORWARD chain
iptables -P FORWARD DROP
# Except for RELATED and ESTABLISHED packets
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Except for NEW TCP packets with destination port 80
iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT
Then just continue to add rules that accept only the types of packets you want
thru. This may sound extremely complex at first, and it is. It just takes time
to understand the syntax, structure, and meaning of each rule. Remember,
firewall rules is both an art and a science. Getting proficient and getting the
rules right just takes time. Read the HOWTOs on netfilter.org, search google for
sample iptables firewall scripts (some people call them rc.firewall), and
experiment. Remember this should be fun, so take your time.
-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net]On Behalf Of Advancewarning
Sent: Thursday, December 19, 2002 11:09 PM
To: KCLUG
Subject: IPTABLES is driving me crazy!!! :P
First thing is first I want to set up all the Policys so that by default they
DROP. I did that.
For some reason as soon as I set FORWARD to DROP I no longer have INTERNET!
If I leave it as ACCEPT it works
Another thing is how do I get Apache to work? the only way it will is if I set
all thePolicies to ACCEPT.
Also if I set OUTPUT to DROP I loose SSH capability.
This is what I have set in order for it to work. Is there something I am
missing here in order for all these to be set to DROP to work properly?
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
ACCEPT all -- muldersworld advancewarning.net
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Thanks!
Mike
More information about the Kclug
mailing list