[quoted lines by John Anthony Kazos Jr. on February 18, 2000, at 21:28]
>Here's an example. Win2K box, host-only networking, netmask 255.255.255.0.
>I want to allow HTTP, FTP, and Telnet (80, 23, and 21, right?) to leave the
>machine, and to invisibly fry the rest.
FTP also needs port 20. Port 21 is for the control connection, and port 20 is
for data transfers.
Add all rules on the host system. For all rules, specify a source which
includes all addresses within your virtual subnet, e.g.
-s 192.168.0.0/24
Add a masquerade rule to the forward chain for the virtual subnet, e.g.
ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24
Add a rule to the input chain which accepts all TCP packets from the
virtual subnet which are part of already established connections, e.g.
ipchains -A input -j ACCEPT -s 192.168.0.0/24 -y
Add a rule to the input chain for each acceptable service, e.g.
ipchains -A input -j ACCEPT -p tcp -s 192.168.0.0/24 80
Finally, add a rule to the input chain which discards all other requests from
the virtual subnet, e.g.
ipchains -A input -j DENY -s 192.168.0.0/24
Add the -l option to this last command if you'd like to log the denials.
To use FTP, remember to "insmod ip_masq_ftp".
--
Dave Mielke | 856 Grenon Avenue | I believe that the Bible is the
Phone: 1-613-726-0014 | Ottawa, Ontario | Word of God. Please contact me
EMail: [EMAIL PROTECTED] | Canada K2B 6G3 | if you're concerned about Hell.
-====---====---====---====---====---====---====---====---====---====---====-
to unsubscribe email "unsubscribe linux-admin" to [EMAIL PROTECTED]
See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
