On 17 Sep 2002, Tanner Lovelace wrote: >Hey cool! Thanks very much for all the explanations. >I have three questions, though. > >You have this rule on the nonew chain: > >> # New connections are okay on eth1 only >> iptables -A nonew -m state --state NEW -i eth1 -j RETURN > >And then have this on the INPUT chain: > >> # Anything on eth1 OK >> iptables -A INPUT -i eth1 -j ACCEPT > >Are these redundant? I think I would prefer the second >one so as to keep the nonew chain clean and to just >make it very explicit that eth1 is a trusted network.
The ordering does appear to make the rules redundant. >> # Allow SSH to this box from $company NAT address >> iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT > >Second question. I assume I can just remove the -s [ip address] >from the ssh and allow ssh connections from anywhere? Yes, that should work. >> # [These next rules are not in my script, but you will need them] >> # [One for each allowed server, as many as you like] >> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT >> iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT >> # [End of custom rules for TriLUG] > >And, finally, is there anything else I need to do to support >an ftp server setup? I seem to remember seeing a special module >for that (and for irc too). Can you talk a bit about those modules? The modules I think you are refering to are ip_conntrack and ip_conntrack_ftp. I don't know of one for IRC. They are connection tracking gizmos. Someone else can write about that since I think I don't have a complete understanding. -- Jeff Jackowski http://ro.com/~jeffj/ _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
