[CLUE-Tech] Firewall

jason at matchingmoms.com jason at matchingmoms.com
Sat Feb 23 08:50:41 MST 2002 

If I'm reading your configuration correctly, all OUTPUT packets are allowed
and all INPUT and FORWARD packets are being sent to the "block" chain.  The
block chain allows all established and related packets and all new packets
from inside your network.

I'm guessing that when you try to set up your SSH connection from the
outside, that attempt starts with new packets (by definition), and your
configuration won't allow those from the outside.

You can specify which IPs to allow with the -s switch -- consult the
iptables man page.

No, you should not need to reboot between changes.  Most iptables scripts
I've seen have flush commands at the top to be sure you are starting with a
clean slate.  And, many scripts set the default policies to be DROP for all
three chains, for safety.  The man pages should talk about both.  Finally,
beware that your firewall generally WON'T come up after a reboot unless you
add a call to your firewall script in one of your startup scripts.  If you
are using RedHat you can use /etc/rc.d/init.d/network.

----- Original Message -----
From: "Chris" <r0x0rman at yahoo.com>
To: "Clue-Tech at Clue.Denver.Co.Us" <clue-tech at clue.denver.co.us>
Sent: Saturday, February 23, 2002 12:24 AM
Subject: [CLUE-Tech] Firewall


> Hey guys I was wondering if you could help me out.  I'm trying to set up a
> firewall for the first time.  Just something simple.  Here is what I have
so
> far.
>
>
============================================================================
> =============
> /sbin/modprobe iptable_nat
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
>
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit
> 1/s -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j
> ACCEPT
>
============================================================================
> ==============
>
> the interface that the world sees is eth0
> the interface that ny lan sees is eth1
>
> Does everything look ok so far?
>
> With this set up, I am unable to ssh to my machine from work.  How can I
> allow certain ip's to connect, and how can I let certain services pass
> through.  I want to let two ips pass connect.
> Also say if i want to make a change to entry for nat.  How do I reload it
> without having to reboot?
> Any ideas?  Thanks.
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list