> -----Original Message----- > From: centos-bounces@xxxxxxxxxx > [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Marko A. Jennings > Sent: Thursday, January 03, 2008 7:29 AM > To: centos@xxxxxxxxxx > Subject: Re: Firewall frustration > > On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: > > Steven Haigh wrote: > >> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: > >>> Christopher Chan wrote: > >>>> > >>>>> I spent much of the past 24 hours trying to find out > how to set up > >>>>> iptables for firewall routing WITHOUT NATing. Could not find > >>>>> anything. > >>>>> > >>>> > >>>> Eh? You just need to enable ip forwarding to enable > routing. After > >>>> that, it is put up the firewall rules as is necessary, build the > >>>> appropriate routing tables on the firewall box and the > boxes on the > >>>> intranet(s). > >>>> > >>>> iptables does not handle routing. > >>> No, but iptables controls what is allowed to route, > >> > >> I think this is where you are getting confused and causing > yourself > >> issues. iptables has ZERO effect on what is allowed to > route. It is a > >> simple YES or NO as to if it should be allowed to pass or > be filtered. > > I have been tested as having a significant language usage > problem, and > > am working on it. 'what is allowed to route', was a poor choice of > > wording. What you wrote above is much closer to what I > wanted to say. > > > > ip src/dest is used for routing decisions by the kernel. > The IP state > > machine (check the RFC or any decent TCP/IP textbook) is > really quite > > simple. But iptables sticks its nose into the center of that state > > machine and can mangle addresses to change how packets flow through > > the machine, or just simplely yank packets right out of the machine > > with a simple NO (drop). > > > > So in my mind's eye of the IP state machine (my MSU CPS 410 > prof was > > death on state machines; turn in a perfectly executing assignment > > without one and there went half your grade. See HIP for its state > > machine) is dictated by iptables as to what it is allowed to route. > >> > >>> Those little words, "put up the firewall rules as necessary" are > >>> equivalent to "and magic happens here." > >> > >> It's actually not magical at all... Work with the mindset > of "I want > >> to allow X, Y, and Z, then deny everything else". This translates > >> easily into iptables rules -j ACCEPT and then your last rule (or > >> policy) should be a deny/drop/reject. > > That is exactly what I tried to do. I just used the wrong > bit of pixie > > dust (during some of the 'heated' IPsec meeting debates one fellow > > would try to sneak up a speaker 'that just did not get it' and > > sprinkle some glitter on them. He had labeled his tube of > glitter as > > 'security pixie dust'). > > If you are interested in learning how iptables work, I > suggest reading this book: > > Linux Firewalls, Second Edition > by Robert L. Ziegler > ISBN 0-7357-1099-6 > > It covers everything from packet filtering concepts to > practical examples. > > Marko Thanks, I was just going to ask.... Dennis _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos