On Friday 29 August 2003 20:12, Andrew Gaffney wrote:
> Rudmer van Dijk wrote:
> > On Friday 29 August 2003 19:21, Andrew Gaffney wrote:
> >>Andrew Gaffney wrote:
> >>>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> >>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> >>>iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> >>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> >>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>iptables -P INPUT DROP
> >>>
> >>>Correct?
> >>
> >>Something I forgot to mention is that there is a 2nd interface: ppp0. I
> >>have a ppp dial-in server set up for my use. I have a few iptables rules
> >>set up to NAT stuff from ppp0 out through eth0. Will the above rules
> >>interfere with that?
> >
> > not really, but do you want to block local machines? if you only want to
> > block outside connections then you can use something like the following.
> >
> > Rudmer
> >
> > ---
> >
> > # allow forwarding
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> >
> > # masquerade local -> internet connections
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> >
> > # maximize ssh response
> > iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos
> > Minimize-Delay
> >
> > # accept ssh, web and mail connections
> > iptables -A INPUT -p tcp --dport ssh -j ACCEPT
> > iptables -A INPUT -p tcp --dport http -j ACCEPT
> > iptables -A INPUT -p tcp --dport smtp -j ACCEPT
> >
> > # set policy for chains
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > # enable and masquerade forwarded packages
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > # disable ExplicitCongestionNotification
> > echo 0 > /proc/sys/net/ipv4/tcp_ecn
>
> You misunderstand. With your example, I believe you have ppp0 as the
> external connection and eth0 acting as the internal connection to the
> LAN. ppp0 is not the internet connection. eth0 is connected to a router
> that is connected to a T1. I want to allow all traffic to and from ppp0
> and masquerade anything from ppp0 out to the LAN/internet through eth0.
> I want anything incoming connections into eth0 with a source address of
> 192.168.254.0/24 to be allow through. Anything other incoming
> connections into eth0 (from the internet) I want to be blocked unless it
> is for port 22, 25, or 80.
ok, when you see ppp0 mentioned it normally means the outgoing connection...
the solution is simple: change ppp0 to eth0 and insert at the 5th (or 6th)
place this
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
then it should work.
Rudmer
PS. if you want to do a thorough cleaning of your tables before you try a new
set of rules, try this:
iptables -Z
iptables -F
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -X
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
--
[EMAIL PROTECTED] mailing list
