On September 1, 2003 01:23 pm, Andrew Gaffney wrote: > Based on replies on this list and another, I have come up with the > following iptables rules that work for me: > > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -P INPUT ACCEPT > iptables -F INPUT > iptables -P OUTPUT ACCEPT > iptables -F OUTPUT > iptables -P FORWARD ACCEPT > iptables -F FORWARD > iptables -t nat -F > iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -P INPUT DROP
NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. -- in the past we had little to do with other races. evolution teaches us that we must fight that which is different in order secure land, food, and mates for ourselves, but we must reach a point when the nobility of intellect asserts itself and says: no. we need not be afraid of those we are different, we can embrace that difference and learn from it. - g'kar, babylon 5 "the ragged edge" -- [EMAIL PROTECTED] mailing list