On September 1, 2003 01:23 pm, Andrew Gaffney wrote:
> Based on replies on this list and another, I have come up with the
> following iptables rules that work for me:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -P INPUT ACCEPT
> iptables -F INPUT
> iptables -P OUTPUT ACCEPT
> iptables -F OUTPUT
> iptables -P FORWARD ACCEPT
> iptables -F FORWARD
> iptables -t nat -F
> iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -P INPUT DROP
NO! that will pretty much negate the use of a firewall alltogether! where
are you droping/rejecting packets? basically your script says this:
accept everything incoming
accept everything outgoing
accept everything forwarding
forward all traffic from ppp0 to eth0
nat your internal lan to eth0
accept all established or related packets
accept all incoming packets from the internal lan
accept all incoming connections from any ip, on any interface on ports 22, 25,
and 80.
drop everything else that's incoming.
i can't be sure that you can reset the policy like that, but i can assure you
that the aboe rules are in now way secure.
--
in the past we had little to do with other races. evolution teaches us that
we must fight that which is different in order secure land, food, and mates
for ourselves, but we must reach a point when the nobility of intellect
asserts itself and says: no. we need not be afraid of those we are
different, we can embrace that difference and learn from it.
- g'kar, babylon 5 "the ragged edge"
--
[EMAIL PROTECTED] mailing list
