Re: [Ltsp-discuss] iptables and LTSP

Steven G. Spencer Mon, 09 Feb 2004 13:27:31 -0800

Greetings Brian,

Would it be too much to assume that you are using two Ethernet adapters
in the server and just need to specify which one to use for internal and
external?  Here's a sample of my own IPTABLES script that works like a
champ for my 13 branches running LTSP:


#
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
                                                                                
                                                                                
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP
#
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -A INPUT -p tcp -m tcp -s x.x.x.x --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s x.x.x.x --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s x.x.x.x --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s x.x.x.x --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s x.x.x.x --sport 53 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s x.x.x.x --sport 53 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j REJECT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

I've removed the actual IP addresses from our network and replaced them
with x's.  We are also doing ftp and some PC access using the LTSP
server as a gateway, which accounts for some of the insmod lines and the
very last line of the script.

Hope this helps.

Thanks,
Steven G. Spencer

On Mon, 2004-02-09 at 12:15, Brian Payst wrote:
> I have a lovely LTSP set-up which I'm trying to add a level of security
> to via IPTables on the LTSP server. For the life of me I can't seem to
> get past a TFTP time-out. Below is the script I'm using to load the
> rules. Anyone done this successfully?
> 
> # flush chains
> $IPTABLES -F
> 
> # delete user defined chains
> $IPTABLES -X
> 
> # set default policies (deny everything)
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT DROP
> 
> $IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 547 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 547 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 69 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 69 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 1758 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 1758 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 177 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 177 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 4000:4002 -j
> ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 4000:4002 -j
> ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 2049 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 2049 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 111  -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 111 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $MONITOR -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -s $MONITOR -p udp --dport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p tcp --dport 69 -j ACCEPT
> $IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p udp --dport 69 -j ACCEPT
> 
> 
> Brian Payst
> Director of Technology & Systems Support
> Division of Student Affairs
> The University of North Carolina at Chapel Hill
> voice:(919)962-1469 fax:(919)962-5241 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _____________________________________________________________________
> Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
>       https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
> For additional LTSP help,   try #ltsp channel on irc.freenode.net
-- 
Steven G. Spencer, Network Manager
Kelly Supply Co./KDS Internet
308-382-5670 Ext. 232

New UNIX command: rm -Rf /usr/bin/gw/bush



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_____________________________________________________________________
Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
      https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help,   try #ltsp channel on irc.freenode.net

Re: [Ltsp-discuss] iptables and LTSP

Reply via email to