On Sun, 2008-11-30 at 11:49 -0500, Tom Horsley wrote: > Any other less cryptic GUI options I suppose that depends on what you mean by cryptic. Is it the syntax of the commands that you don't understand, or the functions that a rule needs? I used to set mine using a script, with a pile of iptables commands. That made it easy to repeat (run the script again), easy to undo changes (you can comment out things, and try variations), and much more flexible than anybody's control GUI. I'd run the script to change or apply the settings. It saved them in the place iptables loads its initial settings, so the computer would always boot up with my configuration, without me needing to modify anything. Something like the following example (which dates back to when I used dialup). I always used the expanded, rather than abbreviated, commands; it's easier to interpret. #!/bin/bash ## Turn off IP forwarding while altering configuration: ## (Put it back on again, at end, if needed.) echo 0 > /proc/sys/net/ipv4/ip_forward ## Flush any pre-existing rules: iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain ## Set default (policy) rules: iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT ## Drop non-internet networking addresses on the internet connection: iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.168.0.0/16 iptables --append INPUT --jump DROP --in-interface ppp+ --source 172.16.0.0/12 iptables --append INPUT --jump DROP --in-interface ppp+ --source 10.0.0.0/8 iptables --append INPUT --jump DROP --in-interface ppp+ --source 127.0.0.0/8 iptables --append INPUT --jump DROP --in-interface ppp+ --source 169.254.0.0/16 iptables --append INPUT --jump DROP --in-interface ppp+ --source 192.0.2.0/24 iptables --append INPUT --jump DROP --in-interface ppp+ --source 204.152.64.0/23 iptables --append INPUT --jump DROP --in-interface ppp+ --source 224.0.0.0/3 ## Accept some things: iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port 80 iptables --append INPUT --jump ACCEPT --protocol tcp --destination-port https ## Allow established and related outside commications to this system, ## and allow outside communications to the firewall, except for ICMP packets: ## (Could be tightened up, adding conditions about specific ports.) iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol \! icmp --jump ACCEPT ## Prevent connections initiated from the outside world: ## (Can interfere with some services which connect back, later on, such as file transfers or webcams on IM programs.) iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump DROP ## Allow all local communications to and from the firewall on ETH from the local network: iptables --append INPUT --jump ACCEPT --protocol all --in-interface eth+ --source 192.168.0.0/16 ## Internet connection sharing: ## Set up masquerading to allow internal machines access to outside network: #iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE ## Turn on IP forwarding, only needed for above internet connection sharing rule: #echo 1 > /proc/sys/net/ipv4/ip_forward ## Save iptables rules to the default iptables rules file (used at boot-up): ## (Red Hat's own /etc/init.d/iptables script looks here.) iptables-save > /etc/sysconfig/iptables -- [tim@localhost ~]$ uname -r 2.6.27.5-41.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
