On 07/26/01 20:20:05 -0700, Vineet Kumar wrote: > I notice you've already applied another solution, but I hope I can > provide some direction should you (or anyone else) decide they'd like > to do it yourself: > > I have found that the most useful thing in setting up ipchains or > iptables is to see and understand the diagrams representing packet > flow in the kernel code. Maybe that's not for everyone, and I'm more > of a visual learner (or something). Anyway, for ipchains, it looks > like this:
<<< Diagram snipped >>> > It's a little burly for your purposes. All you're talking about is a > packet filter, with no forwarding (and hence no masquerading, etc.) So > let's take out what's unimportant and reduce it to this: Yeah, I had read through the IPChains Howto, and I think I got some of the fundamentals down. I tend to learn by example, so as a newbie, I had some trouble applying what was going on with the real world example given in the howto to my own needs. > --------------------------------------------------------------- > | ACCEPT/ lo interface | > v REDIRECT | > --> C --> S --> ______ --> --> ~~~~~~~~ _______ --> > h a |input | {Routing } |output |ACCEPT > e n |Chain | {Decision} --->|Chain | > c i |______| ~~~~~~~~ | |_______| > k t | | | | > s y | | | | > u | v v | v > m | DENY/ Local Process | DENY/ > | v REJECT | | REJECT > | DENY --------------------- > v > DENY > > That's a bit more manageable, no? All you need to worry about are the > input and output chains. I'm going to recommend a very simple ruleset > for you; no need to mess around with all kinds of user-defined chains. > You might want (after reading some more and getting the hang of what's > going on here) to add some logging capabilities to the setup, but for > now, let's just roll a simple script: Ah, yes. That was one of the problems I had. The example revolved around forwarding packets, which then quickly got out of hand for me when trying to figure out what I needed to do. I think I understood most of what was being discussed, and when I do get around to setting up a gateway machine for my home network (coming soon), I'll draw from it. I think I'll go back and re-read it and focus on what each was trying to be accomplished. > (I've been (happily) immersed in the iptables world and haven't used > ipchains in a while (and don't have a machine to test it on, either), > so if it has a couple of syntactical glitches in it, please bear with > me.) No problem, just a great big "thank you" for taking the time to explain this to me and others. <<< firewall script snipped >>> Thanks again, I've already added your message to my Saved folder! -- Mark Wagnon <[EMAIL PROTECTED]>