Fajar, I really appreciate all the detailed help here! I have some questions. >Hi JLC, >There are 2 ways to implement firewall: negative list and positive list. Looks like you want a very strict one that is positive list. > >Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind the word wrap): >#Clear all rules and policies first: >iptables -P INPUT ACCEPT >iptables -P OUTPUT ACCEPT >iptables -P FORWARD ACCEPT >iptables -F >iptables -t nat -F I misunderstand this, if the default policy is to accept, then how does this work (I thought it was wise to make it Drop)? In terms of Cisco ACL's, how does iptables work, does it simply continue processing until it sees something explicitly denying if the default policy is ACCEPT, versus DROP, will it continue processing until it sees something explicitly allowing? >#Finally dropping all other traffic (positive list firewall): >iptables -P INPUT DROP >iptables -P OUTPUT DROP >iptables -P FORWARD DROP So here you know restate the default policy? I thought you could only define this once? >If for some reason you want to clear the iptables, run this command: >iptables -P INPUT ACCEPT >iptables -P OUTPUT ACCEPT >iptables -P FORWARD ACCEPT >iptables -F Does this -F not reset the above stated policy? >iptables -t nat -F >service iptables save Thanks so much! jlc
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
