I guess I do not understand why you want to put an iptables filter for a LTSP workstation that is on LAN. For local access only, I wouldn't use iptables at all (ACCEPT for default policy). In LTSP, all the programs are running on the LTSP server. The video output, keyboard and mouse are being handled by the workstation. So, as long as you do not NFS mount directories from the workstation to the server, there is no need for iptables. Security is at the level as your LTSP server currently is configured.I have a lovely LTSP set-up which I'm trying to add a level of security to via IPTables on the LTSP server. For the life of me I can't seem to get past a TFTP time-out. Below is the script I'm using to load the rules. Anyone done this successfully?
# flush chains $IPTABLES -F
# delete user defined chains $IPTABLES -X
# set default policies (deny everything) $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 547 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp --dport 547 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 69 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p udp --dport 69 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 1758 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 1758 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 177 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 177 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 4000:4002 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 4000:4002 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 2049 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 2049 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 111 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 111 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $MONITOR -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $MONITOR -p udp --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p tcp --dport 69 -j ACCEPT $IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p udp --dport 69 -j ACCEPT
If the LTSP server is directly connected to the Internet, through another ethernet card, I would set iptables to allow local access via:
# Set variables IPTABLES="/sbin/iptables" LAN_IFACE="eth0" INET_IFACE="eth1"
# Default policy is DROP (do not reply) $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
# Unlimited traffic on loopback $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
# Unlimited traffic on LAN $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT $IPTABLES -A OUTPUT -o $LAN_IFACE -j ACCEPT
Ken Cobler
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
