On Monday, February 17, 2003, at 02:43 AM, Budi Febrianto wrote:
You've got a few weirdnesses in there..I just created a firewall using iptables. If you have the time, please check if it secure enough or not.
You setup your OUTPUT chain to have a default policy of ACCEPT on line 24, but then specify it again on lines 40 and 43. No need for those.
Also, you realize that your lo interface and 127.0.0.1 are the same thing, right?
So, all you really have to do is say that input to localhost is ACCEPTed, like you do on line 39. With that, you can get rid of lines 40, 41, 42, 43, 44, 45, 46, 49, 50, 57, 58, 65, 66, 67, 68.
Also, why are you making rules to allow external hosts to talk to the INTERNAL i/f of your firewall? Nix lines 69, 70, 71, 72.
Typo in ip addr on line 76.
Also, you realize you're not giving your users Internet access, right? Well, the "power users", and the "servers", but nothing else, right?
How about something more simple like say,
$IPT -F
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.43 -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.43 -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.44 -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.44 -p udp --dport 53 -m state --state NEW -j ACCEPT
for SERVER in `cat $SERVERS`
do
$IPT -A FORWARD -s $SERVER -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -s $SERVER -j SNAT --to 202.135.248.8
done
for POWERUSER in `cat $POWERUSERS`
do
$IPT -A FORWARD -s $POWERUSER -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -s $POWERUSER -j SNAT --to 202.135.248.8
done
$IPT -A FORWARD -m state --state NEW -s $INTLAN -d $DMZLAN -j ACCEPT
--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
