/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
>This will work for loose rulesets. However it only works with the NAT >and FILTER tables. It is highly advisable to work toward a strong >ruleset for your firewall. The first step in doing this is to change >all policies to DROP and then get only what you need working. Totally agreed. I have a new IPMASQ howto read to go with the awaited rc.firewall-2.4-stronger ruleset but it isn't as tested as I would like. Do I have any interested testers or auditors out there? The new ruleset seems to work well for everything I've tested but I want it as robust as possible. >echo -n "Forwarding $EXT_F to $INT_F:" >$IPTABLES -t filter -I FORWARD -p tcp -d $INT_IP \ > --dport $INT_PORT -j ACCEPT && \ Why are you backgrounding every rule? You can create out-of-order rulesets this way (though somewhat remote). I highly recommend to serialize the loading of your ruleset. >$IPTABLES -t filter -I FORWARD -p udp -d $INT_IP \ > --dport $INT_PORT -j ACCEPT && \ Do not PORTFW both UDP and TCP traffic unless the protocol requires it. >$IPTABLES -t mangle -I PREROUTING -p tcp -d $EXT_IP \ > --dport $EXT_PORT -j ACCEPT && \ >$IPTABLES -t mangle -I PREROUTING -p udp -d $EXT_IP \ > --dport $EXT_PORT -j ACCEPT && \ Why are you mangling the traffic? As I understand it, this PORTFWed traffic will never hit this rule. --David .----------------------------------------------------------------------------. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !---- ----! `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----' _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
