I've got two computers : mine, working with LFS 6.0 (well, almost, it's an
SVN version, but very close from 6.0, and it doesn't matter here) and BLFS
6.0, and my wife's, working with Window$ 98.
My computer, detritus, operates an Alcatel Speedtouch DSL modem, and is
192.168.0.1. My wife's computer, arthur, is connected to it with an
ethernet link, and is 192.168.0.2. detritus makes NAT for arthur threw the
ethernet link, and detritus shares a samba partition with arthur, because
arthur manages a f...ing winprinter.
This is my iptables script :
#!/bin/sh
# Begin /etc/firewall/firewall.start
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service (equal to -P
ACCEPT)
iptables -A OUTPUT -j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
# do masquerading (not needed if intranet is not using private
# ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Modifications, aide par F. Boisson, merci Francois
# accepter les connexions établies
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accepter les pings
# iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# Fin des modifications
# Tries for Samba and MlDonkey
# iptables -A FORWARD -i eth0 -j ACCEPT
# iptables -A FORWARD -o eth0 -j ACCEPT
# iptables -A FORWARD -m state --state NEW -p tcp -i eth0 --sport 137:139
-j ACCEPT
# iptables -A FORWARD -m state --state NEW -p udp -i eth0 --sport 137:139
-j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.0.2 --dport 139 -j ACCEPT
iptables -A INPUT -p udp --dport 4662 -j ACCEPT
iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else: What's Windows' latest exploitable vulnerability?
# iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# set a sane policy: everything not accepted > /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still
ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# activate TCPsyncookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# activate IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# End /etc/firewall/firewall.start
As you can see, there are a few changes from the BLFS book script.
It does not work, in this precise way :
When arthur goes up, it can't connect to detritus threw Samba. I have to
stop the firewall on detritus, then I can connect, and after I start the
firewall again, everything goes well.
Can you help me ? I've been working on this for a long time now :-(
\bye
--
Nicolas FRANCOIS
http://nicolas.francois.free.fr
We are the Micro$oft.
Resistance is futile.
You will be assimilated.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
