On Tue, 2002-09-17 at 12:34, Corey Mutter wrote: > This is rather long, but will get you the relevant parts of the > iptables script my firewall uses. I'll also throw in some > explication in bracketed comments. I don't know about the RedHat init > scripts' use of iptables... this machine is really bare-bones, and so > it just runs this script. It has a NATed subnet behind it, but I will > leave all that stuff out...
Hey cool! Thanks very much for all the explanations. I have three questions, though. You have this rule on the nonew chain: > # New connections are okay on eth1 only > iptables -A nonew -m state --state NEW -i eth1 -j RETURN And then have this on the INPUT chain: > # Anything on eth1 OK > iptables -A INPUT -i eth1 -j ACCEPT Are these redundant? I think I would prefer the second one so as to keep the nonew chain clean and to just make it very explicit that eth1 is a trusted network. > # Allow SSH to this box from $company NAT address > iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT Second question. I assume I can just remove the -s [ip address] from the ssh and allow ssh connections from anywhere? > # [These next rules are not in my script, but you will need them] > # [One for each allowed server, as many as you like] > iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT > iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT > # [End of custom rules for TriLUG] And, finally, is there anything else I need to do to support an ftp server setup? I seem to remember seeing a special module for that (and for irc too). Can you talk a bit about those modules? Thanks much! Tanner -- Tanner Lovelace | [EMAIL PROTECTED] | http://wtl.wayfarer.org/ --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4 GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- Si hoc legere scis, nimium eruditionis habes. _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
