Re: How do I open for Internet accsess in iptables.

[Alexey Fadyushin <fab s-tunnel com>]

I described the easiest method. It is usually considered insecure to
have
all policies of ACCEPT. However, if you use corectly configured server
daemons
and do not run services that you don't need, such a simple configuration
should
be secure. More secure method is, as I wrote eerlier, to set the default
input
policy to DENY and wrote explicit rules which will explicitly permit
packets intended
for the services on you router to enter into the router.
If you will use input policy of DENY without the explicit rules with
target of ALLOW
you will not be able even ping from you router because such a policy
will not allow
ping replies to reach you (they will be DENIED entry into you router).
If you will use, in addition to the default input policy of DENY an
default output
policy of ACCEPT, the following rule, you should be able to ping your
router from
other machines and ping other machines from your router:

iptables -t filter -A INPUT -p icmp -j ACCEPT

Of course, if you have server daemons on you router, you will need other
rules in
that chain.

Alexey Fadyushin
Brainbench MVP for Linux.
http://www.brainbench.com


Knut Ove Hauge пишет:
> 
> Wouldnt setting  all policies to ACCEPT mean a secure risk?
> How do I know if Nat is enabled.
> When I type lsmod I found NAt whith no additiona info ie autoclean
> used or unused.
> 
>  --- Alexey Fadyushin <fab s-tunnel com> skrev: > I think that you
> should set all three policies in all tables to
> > ACCEPT.
> > Of course, you could use any other policies if you have added
> > specific
> > rules in the tables which will be used instead of the default
> > policies
> > for
> > the paxckets on you network.
> >
> > Also, if you are using NAT between LAN and ADSL, add the rule similar
> > to
> > the following rule into the table 'nat':
> >
> > iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -j SNAT
> > --to-source x.x.x.x
> >
> > where x.x.x.x is the address of the external inteface of you router
> > (ADSL line).
> >
> > Alexey Fadyushin
> > Brainbench MVP for Linux.
> > http://www.brainbench.com
> >
> >
> > Saul Arias wrote:
> > >
> > > At 04:35 AM 30-08-02, Knut Ove Hauge wrote:
> > > >I have just installed iptables as a replacement for ipchains in my
> > rh
> > > >7.2 system. I downloaded a shell script with the rules but I cant
> > > >access internet nor from my linuze or windoze client.
> > > >I use eth1 for my adsl line and eth0 (ip address 192.168.0.1) for
> > my
> > > >lan card. The windoze has ip address 192.168.0.3.
> > > >I have enabled ip forwarding and can flush the rules in iptables
> > in the
> > > >beginning of the script. The input policy is set to DROP while the
> > > >other two is set to accept.
> > > >I cant ping any machines nor external or internal.
> > > >I'am new to iptables so I need some help on setting it up.
> > >
> > > Can you ping from the Linux box to, say, www.yahoo.com?
> > > Can you ping from the Linux box to 192.168.0.3?
> > >
> > > Can you do the pings above with iptables shut down?
> > >
> > > Can we see your script?
> > >
> > > --
> > > Saul Arias <zhadu yahoo com>
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> > mailto:redhat-list-request redhat com?subject=unsubscribe
> > > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> 
> =====
> Investigating the Norwegain 4.th Secret Service
> The multiheaded beast.
> http://hjem.sol.no/altiett/knut_ove_hauge_kuren.htm
> 
> ______________________________________________________
> Se den nye Yahoo! Mail pЕ http://no.yahoo.com/
> Nytt design, enklere Е bruke, alltid tilgang til Adressebok, Kalender og Notisbok
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://listman.redhat.com/mailman/listinfo/redhat-list