/usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop /usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop
127.0.0.0/8 is not on eth0. It is on lo. These two lines do nothing.
Righto, good catch. Either way, he's got a lot of useless rules in here.
echo "Redirect Web traffic through Dan's Guardian" /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp -s $intnet -d $intip --dport 81 -j REDIRECT --to-port 8080
You have your proxy set to anything coming in on eth0. Instead match by ip address above.
He's matching anything from the internal network to port 81 on the local machine. He's then bouncing it over to the proxy port.
I would leave out the '-s $intnet' section, since anything you don't want in is already getting dropped by the sort rule I listed in my earlier message. There's no point in matching again here.
Statefull filtering wonderful, but I'm not sure what all he wants. With the rules I gave, his box will /NEVER/ talk to anyone that's not on the approved host list. If that's not desired, it would definately be a good idea to set up some state matching rules to allow sessions esablished by the server back in. A rule like the following would do that:
#this goes right above the '-j log- entry. #it allows any traffic initated by the server back in #you probably want this if the server needs to talk to the internet. iptables -A sort -m state --state ESTABLISHED,RELATED -j ACCEPT
-Brad
(PS - please forgive me if a dupe of this message is ever posted to the list. I accidentally sent the original message from the wrong alias...)
_______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
