I used to hang out on the LARTC list, so here's my analysis. Quite possibly flawed. You may want to ask the LARTC guys, they eat stuff like this for breakfast.
Bob Crandell wrote:
Accept everything from your loopback addyHere is rc.iptables: #=================================== #/bin/sh
LOOPNET="127.0.0.0/8" LOCALNET="216.239.175.0/24"
echo " Clearing existing configuration." /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -F INPUT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -F OUTPUT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -F FORWARD /usr/sbin/iptables -F -t nat /usr/sbin/iptables -F logdrop /usr/sbin/iptables -X logdrop
echo "Create Drop Chain." /usr/sbin/iptables -N logdrop /usr/sbin/iptables -A logdrop -j LOG --log-level info /usr/sbin/iptables -A logdrop -j DROP
echo "INPUT Rule sets." /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -j ACCEPTAccept everything from the adapter
/usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop
Drop things from loopback network. Except you allready jumped to ACCEPT for everything via 'lo', so this is never matched
/usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop
Drop things to loopback network. Except you allready jumped to ACCEPT for everything via 'lo', so this is never matched
/usr/sbin/iptables -A INPUT -i eth0 -s $LOCALNET -j ACCEPT
Accept everything from the localnet network. Except you already accepted things from eth0, so this is never matched
Indeed it does.
echo "Redirect Web traffic through Dan's Guardian" /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-port 8080 #===================================
This works, but it lets the whole world in. Not good.
Here's what I would do:
OK_NET1="216.239.175.0/24" OK_NET2="64.28.48.0/24" OK_HOST1="64.112.226.198"
#flush rules before setting policy #also, set a default deny rule. Safer that way... iptables -F INPUT iptables -P INPUT DROP iptables -F FORWARD iptables -P FORWARD DROP iptables -F OUTPUT iptables -P OUTPUT ACCEPT iptables -F -t nat iptables -F sort iptables -X sort
iptables -N sort #accept from the OK hosts and nets iptables -A sort -s $OK_NET1 -j ACCEPT iptables -A sort -s $OK_NET2 -j ACCEPT iptables -A sort -s $OK_HOST1 -j ACCEPT #everything else is logged and then dropped iptables -A sort -j LOG --log-level info iptables -A sort -j DROP
#jump to the sorting rule from input and forward. #output isn't really worth worrying about IMHO - the #unwanted hosts don't get in, so why would there #be anything going back to them iptables -A INPUT -j sort iptables -A FORWARD -j sort
#Finally, we add the shim rule:
#Sends all inbound port 81 traffic over to 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 81 -j REDIRECT --to-port 8080See how that works. Or maybe I missed the mark entirely. Lemme know.
-Brad
(PS - please forgive me if a dupe of this message is ever posted to the list. I accidentally sent the original message from the wrong alias...)
_______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
