On Friday 29 August 2003 19:21, Andrew Gaffney wrote:
> Andrew Gaffney wrote:
> > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
> > iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -P INPUT DROP
> >
> > Correct?
>
> Something I forgot to mention is that there is a 2nd interface: ppp0. I
> have a ppp dial-in server set up for my use. I have a few iptables rules
> set up to NAT stuff from ppp0 out through eth0. Will the above rules
> interfere with that?
not really, but do you want to block local machines? if you only want to block
outside connections then you can use something like the following.
Rudmer
---
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
# masquerade local -> internet connections
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# maximize ssh response
iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos
Minimize-Delay
# accept ssh, web and mail connections
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
# set policy for chains
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# enable and masquerade forwarded packages
echo 1 > /proc/sys/net/ipv4/ip_forward
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
--
[EMAIL PROTECTED] mailing list
