Re: [gentoo-user] iptables help

[Andrew Gaffney]

Rudmer van Dijk wrote:
On Friday 29 August 2003 19:21, Andrew Gaffney wrote:

Andrew Gaffney wrote:

iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
Correct?
Something I forgot to mention is that there is a 2nd interface: ppp0. I
have a ppp dial-in server set up for my use. I have a few iptables rules
set up to NAT stuff from ppp0 out through eth0. Will the above rules
interfere with that?


not really, but do you want to block local machines? if you only want to block 
outside connections then you can use something like the following.

	Rudmer

---

    # allow forwarding
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
                                                                                          
    # masquerade local -> internet connections
   iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
                                                                                          
    # maximize ssh response
   iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos 
Minimize-Delay

    # accept ssh, web and mail connections
   iptables -A INPUT -p tcp --dport ssh -j ACCEPT
   iptables -A INPUT -p tcp --dport http -j ACCEPT
   iptables -A INPUT -p tcp --dport smtp -j ACCEPT
                                                                                          
    # set policy for chains
   iptables -P INPUT DROP
   iptables -P OUTPUT ACCEPT
   iptables -P FORWARD DROP
                                                                                          
    # enable and masquerade forwarded packages
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # disable ExplicitCongestionNotification
    echo 0 > /proc/sys/net/ipv4/tcp_ecn
You misunderstand. With your example, I believe you have ppp0 as the 
external connection and eth0 acting as the internal connection to the 
LAN. ppp0 is not the internet connection. eth0 is connected to a router 
that is connected to a T1. I want to allow all traffic to and from ppp0 
and masquerade anything from ppp0 out to the LAN/internet through eth0. 
I want anything incoming connections into eth0 with a source address of 
192.168.254.0/24 to be allow through. Anything other incoming 
connections into eth0 (from the internet) I want to be blocked unless it 
is for port 22, 25, or 80.

--
Andrew Gaffney
--
[EMAIL PROTECTED] mailing list