Securing eth1 with IPTABLES
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Tue Mar 23 06:18:55 UTC 2004
See my notes within the quoted message:
David Kreuter wrote:
> Madison et al thank you for your help. Here is the output as requested from
> iptables-save:
>
> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
> *filter
> :INPUT ACCEPT [448733:27854874]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [447020:26108052]
> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
- Good, let's everything out (note that no more outbound rules will
match because no packet will pass this rule.)
> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
- BAD! Here you say to let everything destined for your internal
subnet in. You may as well have no firewall at this point. No other
rules added after this will work because no inbound packets will go past
this rule (they all match and are ACCEPTed.)
> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
- I can't think of a logical reason for this.
> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
- You repeated the first FORWARD rule
> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
- Duplicate of the second rule...
> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
- Again, unsure why this is here...
> -A FORWARD -p tcp -j LOG --log-level 6
- This rule will never be matched because any packet would have stoped
traversing the FORWARD chain as soon as it hit one of the first two
all-encompasing rules.
> -A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
- ditto. Put these BEFORE any rule would match.
> COMMIT
> # Completed on Mon Mar 22 19:46:40 2004
> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
> *nat
> :PREROUTING ACCEPT [105414:5087474]
> :POSTROUTING ACCEPT [6102:366228]
> :OUTPUT ACCEPT [6288:377744]
> -A POSTROUTING -o eth1 -j MASQUERADE
> -A POSTROUTING -o eth1 -j MASQUERADE
- Why twice?
> COMMIT
> # Completed on Mon Mar 22 19:46:40 2004
If you are writting this out via a shell script, can you post it? Also
recap what you want to do. I'll see if I can qhip up a script for you
over lunch tomorrow at work.
Madison
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list