IPTable Rules... again
Reindl Harald
h.reindl at thelounge.net
Fri Mar 9 09:06:33 UTC 2012
Am 09.03.2012 04:22, schrieb nullv at gmx.com:
>> what you are doing wrong is change working things
>> the following works perfectly (eth1: WAN, eth0: LAN)
>
>> iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT
>> ipatbles -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE
>
> the thing is I don't want to allow all my local machines to access the net.
> Only selected services (POP3S, DNS, and SMTPS) are allowed. Although there
> are exceptions like 10.0.0.3. Additionaly my ISP limits the amount of traffic
> from 1 IP. I have 5 public addresses I want to roundrobin them so that traffic
> gets distributed accross the IPs.
hm - OK thats a different story
but after read your ogrional post
why did you not mention what you like to do?
usually nobody will read your rules and start imagnine you
intention especially if your rules do not work
to disallow completly on a machine i would remove the gateway on the client
>> what is this????????????????????????
>> -A INPUT -i eth1 -j ACCEPT
>
> that's allow local packets from the lan (eth1) into the server
this is a very very bad idea, what happens if there is started a
unwanted service by accident?
as long as you do not care about your servers security
in the internal network in my opinion the policy above
is not a topic - network security starts generally at
the most vulnerable machines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120309/787422a2/attachment.sig>
More information about the users
mailing list