[LARTC] Firewall Question?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When you use NAT to route traffic from eth0 out to the internet, it flows
through the FORWARD table, bypassing the INPUT and OUTPUT tables
completely. You'll need to setup a rule in your firewall blocking access
using the FORWARD table.

-Ross Skaliotis

On Sun, 14 Apr 2002, Brian wrote:

>
> I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE
> THINGS YOU CAN DO. I have a small network off my eth0 interface
> 192.168.0.X network and my ppp0 is my DSL connection, with the current
> firewall how would I block someone going to the Internet from my eth0
> interface. I have tried many of things here and had no luck.
>
> Both my INPUT and OUTPUT used a DROP policy by default and I am using
> NAT to route my traffic to the Internet.
>
>
>
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
> modprobe ip_conntrack
> modprobe ip_tables
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe iptable_nat
> modprobe ipt_LOG
> modprobe ipt_REJECT
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack_ftp
> modprobe ipt_owner
> modprobe ip_conntrack_irc
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp0  -j MASQUERADE
> iptables -A FORWARD  -j ACCEPT
>
>
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --dport 1024: -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --sport 67 --dport 68    -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8
> --sport 53 --dport 1024:65535 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
> iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP
>
>
>
> iptables  -A  OUTPUT -d 192.168.0.0/24  -j ACCEPT
> iptables  -A  OUTPUT -d 255.255.255.255 -j ACCEPT
> iptables  -A  OUTPUT -d 127.0.0.1 -j ACCEPT
> iptables  -P  OUTPUT DROP
>
>
>
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux