On Thursday 16 November 2006 15:19, Nangus Garba wrote: > # I think that a set of rules that looks something like this would be > easier to maintain > # there are 500 little tricks that I could add if I was home and had my > notes
Hey! Thanks for your help - please send some more when you get home. :)
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
The "! $iface" is meant to catch incoming packets on an external iface which
have their IP address spoofed to 127.0.0.1 type of thing. Will "lo" achieve
the same thing?
> #this will take care of all interfaces by default
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # maybe you should just use one interface for portage to connect through
> such as eth0
Good point.
> # might also be a good plan to use the mac address instead of the ip it is
> a little harder to spoof
Could I use both in a single rule?
> #Allow rsync connections from study1 to update portage
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
> 192.168.0.5 -j ACCEPT
> #Allow tcp connections from study1 to download distfiles
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
> 192.168.0.5 -j ACCEPT
> # these rules are kinda taken car of by: iptables -P INPUT DROP
Yes, in their current format they are, but I had previously set them up to
REJECT with different messages
> # iptables -A INPUT -p tcp -i ${x} -j DROP
> # iptables -A INPUT -p udp -i ${x} -j DROP
Keep 'em coming! :)
--
Regards,
Mick
pgpj0yIdRThq7.pgp
Description: PGP signature
