This one time, at band camp, James Gregory wrote: >On Sat, 2004-04-03 at 13:54, Amanda wrote: >> > If I rewrite the above to this, I think it will do what I want. >> > # route add -host 10.0.0.150 dev ppp0 >> > # iptables --insert PPPconn 1 --source 0.0.0.0/0.0.0.0 \ >> > --destination 10.0.0.150/32 --jump ACCEPT --out-interface ppp0 >> > # iptables --insert INPUT 1 --source 10.0.0.150/32 \ >> > --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0 >> > # iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 \ >> > --destination 10.0.0.150/32 --jump ACCEPT --out-interface ppp0 >> > # iptables --insert FORWARD 1 --source 10.0.0.150/32 \ >> > --destination 0.0.0.0/0.0.0.0 --jump ACCEPT >> > # iptables --table nat --append POSTROUTING --out-interface ppp0 \ >> > --jump MASQUERADE >> > # iptables --append FORWARD --protocol tcp \ >> > --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >> > >> >> Well, I went ahead & did this, and it mostly works. I can ping 10.0.0.150, and >> from my windows machine on the local Lan, I can map a shared drive on 10.0.0.150. >> >> Can't get my browser to connect to the web-server on it though. >> >> Now, how doI make these firewall rules permanent. > >I'm no firewalling ninja, but on most systems you can do > > service iptables save > >and it will write a file in /etc/sysconfig that the iptables service >will read on system startup. It will use the iptables-save command, >which is worth looking at if your system doesn't provide the interface >to it from the iptables service script.
And for the Debian weenies, it's /etc/init.d/iptables save active which will save the current set of rules as your 'active' ruleset; the one which gets loaded at boot. the 'inactive' ruleset gets loaded when the iptables script is stopped, i.e. /etc/init.d/iptables stop so you can have a firewall that does something else when the machine shuts down. I dunno if this is actually useful :-) [and there's /etc/init.d/iptables clear to flush all the rules, and drop to flush all the rules but drop all packets anyway] -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
