RE: Autoupdate iptables on DHCP

Mon, 16 Jun 2003 22:41:02 -0700 

I don't think you need to have the ip address in the rules.  Here's what I have in a 
very similar setup as yours and it does the trick:

*nat
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

I'm pretty sure you can just replace the MASQUERADE with SNAT, but no guarantees.

*filter
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT

I have set the default policy for the OUTPUT chain to be ACCEPT so I don't need to 
handle it seperately:

:OUTPUT ACCEPT [0:0]

The rest are set to DROP.  I have a few default rules to open some ports:

-A INPUT -p tcp --dport ftp -j ACCEPT

These are then handled by xinetd (which uses a very restrictive hosts.allow/hosts.deny)

Good luck,

David


--__--__--

Message: 30
Date: Wed, 04 Jun 2003 23:48:11 -0600
From: "Ashley M. Kirchner" <[EMAIL PROTECTED]>
Organization: Photo Craft Laboratories, Inc.
To: Red Hat Mailing List <[EMAIL PROTECTED]>
Subject: Autoupdate iptables on DHCP
Reply-To: [EMAIL PROTECTED]


    I have an RH9 server on a cable modem and I'm trying to figure out 
how to auto-update /etc/sysconfig/iptables whenever my IP changes. 
 Right now, I have to manually edit that file to put the new IP in it. 
 Right now I'm looking at 4 separate lines, across different sections of 
the file.  Is there some way to automatically do that?  Is there some 
way to avoid having the IP hardcoded in the first place?

Under *nat
-A POSTROUTING -o eth0 -j SNAT --to-source <DHCP IP ADDRESS>

Under *filter:
-A INPUT -s <DHCP IP ADDRESS> -i lo -j ACCEPT
-A INPUT -d <DHCP IP ADDRESS> -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A OUTPUT -s <DHCP IP ADDRESS> -j ACCEPT

-- 
H| I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:[EMAIL PROTECTED]>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A. 




-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list

Reply via email to