[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: decrypting iptables?

On Sun, 2008-11-30 at 11:49 -0500, Tom Horsley wrote:
> Any other less cryptic GUI options

I suppose that depends on what you mean by cryptic.  Is it the syntax of
the commands that you don't understand, or the functions that a rule

I used to set mine using a script, with a pile of iptables commands.
That made it easy to repeat (run the script again), easy to undo changes
(you can comment out things, and try variations), and much more flexible
than anybody's control GUI.  I'd run the script to change or apply the
settings.  It saved them in the place iptables loads its initial
settings, so the computer would always boot up with my configuration,
without me needing to modify anything.

Something like the following example (which dates back to when I used
dialup).  I always used the expanded, rather than abbreviated, commands;
it's easier to interpret.


## Turn off IP forwarding while altering configuration:
## (Put it back on again, at end, if needed.)

echo 0 > /proc/sys/net/ipv4/ip_forward

## Flush any pre-existing rules:

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain

## Set default (policy) rules:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

## Drop non-internet networking addresses on the internet connection:

iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source
iptables --append INPUT --jump DROP --in-interface ppp+ --source

## Accept some things:

iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port 80
iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port https

## Allow established and related outside commications to this system,
## and allow outside communications to the firewall, except for ICMP packets:
## (Could be tightened up, adding conditions about specific ports.)

iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol \! icmp --jump ACCEPT

## Prevent connections initiated from the outside world:
## (Can interfere with some services which connect back, later on, such as file transfers or webcams on IM programs.)

iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump DROP

## Allow all local communications to and from the firewall on ETH from the local network:

iptables --append INPUT --jump ACCEPT --protocol all --in-interface eth+ --source

## Internet connection sharing:
## Set up masquerading to allow internal machines access to outside network:
#iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE

## Turn on IP forwarding, only needed for above internet connection sharing rule:
#echo 1 > /proc/sys/net/ipv4/ip_forward

## Save iptables rules to the default iptables rules file (used at boot-up):
## (Red Hat's own /etc/init.d/iptables script looks here.)

iptables-save > /etc/sysconfig/iptables

[tim localhost ~]$ uname -r

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]