[CLUE-Tech] iptables not allowing the ACCEPT target?
Jed S. Baer
thag at frii.com
Thu Nov 28 18:38:15 MST 2002
Hi Folks.
Messing about with my firewall settings here, which might be just a little
too tight. For example, not allowing an ftp data channel.
My old setting, 1 line:
-A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
Lookng here:
http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html
I find the following as a quickie good firewall:
## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp
## Create chain which blocks new connections, except if coming from
#inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block
Seems I should be able to enter two rules in the input chain, and achieve
the same thing, without creating another chain (I'm guessing the author
created the 'block' chain so it could be called from both the INPUT and
FORWARD chains).
-A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
The reason for specifying only the ppp interface is to allow anything on
the home lan.
I'm going to hit one of the website nmappers, and try this out. But any
advice on whether I've left any gaping holes open, I'd appreciate. Hmmm,
maybe block UDP as well?
TIA,
jed
--
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5
More information about the clue-tech
mailing list