hi, i think
-A INPUT -i eth1 --state NEW -j ACCEPT -A INPUT -i eth1 --state RELATED,ESTABLISHED -j ACCEPT greets Jo > > > > Thanks to Stephen earlier, I solved one problem, now I have > another. The following rules work in that they block everything > incoming to the server except for those services opened, and it > allows traffic back and forth to and from the internal network. > However, from the internal network, I can not get onto the server > itself. What do I have to change or add to make folks on the > private network (192.168.1.0/24) to be able to get onto the server itself? > > Basically I want only those 4 opened ports from the outside > to reach the server, but anything from the internal network > should be able to reach the server as well (and right now nothing > does) and be able to go out to the net. > > Also, if anyone sees some blatant problem with these rules, > please let me know since I'm still learning about iptables. My > requirements are simple: > > From the outside: > - Drop everything incoming to the server > except for ports 21, 22, 25 and 80. > > From the inside (private) network: > - Forward traffic from the inside network to the outside world > - Allow everything in and out of the server itself > > From the server itself: > - Allow everything/anything to go out to the world. > > What'd I forget? Here are the current set of rules: > > # Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 > *nat > :PREROUTING ACCEPT [148:20680] > :POSTROUTING ACCEPT [10:774] > :OUTPUT ACCEPT [10:774] > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! > 192.168.1.0/255.255.255.0 -j SNAT --to-source 12.253.88.33 > COMMIT > # Completed on Sat Jul 6 21:18:47 2002 > # Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 > *filter > :INPUT DROP [129:18877] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [10881:581839] > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset > -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > COMMIT > # Completed on Sat Jul 6 21:18:47 2002 > > -- > H | "Life is the art of drawing without an eraser." - John Gardner > +-------------------------------------------------------------------- > Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130 > Director of Internet Operations / SysAdmin . 800.441.3873 x130 > Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave, #6 > http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A. > > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
