my actual iptables inquiry

lwj wayne at zkcelltest.com
Mon Feb 23 16:16:29 UTC 2004


On Fri, 2004-02-20 at 16:40, jay wrote:
> Ok i guess this is what i need to do with iptables... I need to deny all
> but still be able to get on the internet... All this box will be used
> for is e-mail and websurfing and the usual streaming media and so
> forth..
> thanx
> 

I think you should be able to set something simple like this using the
firewall configuration tool that comes with Fedora. If you are using
Gnome (and maybe KDE too) it's located in the "System Settings" submenu
as "Security Level" I think all you really need to do is turn on the
firewall. I have not done anything special and I can do all the things
you mention above. 

Note that if you change your firewall settings that "Trusted services"
are the services that you want to enable on your system and NOT services
that you want to access on the internet. For example, selecting "WWW
(HTTP)" will allow others to connect to your HTTP server. "Trusted
devices" are devices that you TRUST; therefore, the firewall lets ALL
traffic through on that device.

If you want to share a single Internet connection with several other
machines then you need tell the firewall to do NAT. It would probably be
best to use one of the many firewall configuration tools available. If
you search the archives for iptables you should find a reference to many
of them.

I have not taken the time to learn these tools yet so I use this is
script. It's not very complicated but I think it gets the job done. I
only allows traffic initiated on the internal network. I DROP all
unwanted connections because there should not be any and dropping the
packets means the guy on the other end is less likely to see that my
firewall is even there.

Your configuration may differ. Substitute eth1 with whichever network
device is connected to the actual Internet.

==================== NAT FIREWALL RULES ===================
#Disable port forwarding while we fix-up the filewall rules for NAT
echo 0 > /proc/sys/net/ipv4/ip_forward
 
#Flush all the current rules (for now at least).
/sbin/iptables -F
 
# Masquerade out eth1
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 
# Disallow NEW and INVALID incoming or forwarded packets from eth1
/sbin/iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP
 
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward








More information about the users mailing list