A rule like: /sbin/iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j DROP would do the trick. Kind of a sledgehammer solution, but it should block everyone. - Greg -----Original Message----- From: Ross Skaliotis [mailto:ross@student.andover.edu] Sent: Sunday, April 14, 2002 11:15 AM To: Brian Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Firewall Question? When you use NAT to route traffic from eth0 out to the internet, it flows through the FORWARD table, bypassing the INPUT and OUTPUT tables completely. You'll need to setup a rule in your firewall blocking access using the FORWARD table. -Ross Skaliotis On Sun, 14 Apr 2002, Brian wrote: > > I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE > THINGS YOU CAN DO. I have a small network off my eth0 interface > 192.168.0.X network and my ppp0 is my DSL connection, with the current > firewall how would I block someone going to the Internet from my eth0 > interface. I have tried many of things here and had no luck. > > Both my INPUT and OUTPUT used a DROP policy by default and I am using > NAT to route my traffic to the Internet. > > > > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > echo 0 > /proc/sys/net/ipv4/tcp_timestamps > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range > echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > echo 0 > /proc/sys/net/ipv4/tcp_sack > > modprobe ip_conntrack > modprobe ip_tables > modprobe iptable_filter > modprobe iptable_mangle > modprobe iptable_nat > modprobe ipt_LOG > modprobe ipt_REJECT > modprobe ipt_MASQUERADE > modprobe ip_conntrack_ftp > modprobe ipt_owner > modprobe ip_conntrack_irc > > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > iptables -A FORWARD -j ACCEPT > > > iptables -A INPUT -i eth0 -j ACCEPT > iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT > iptables -A INPUT -i ppp0 -p udp --sport 67 --dport 68 -j ACCEPT > iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport > 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8 > --sport 53 --dport 1024:65535 -j ACCEPT > iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport > 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT > iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP > > > > iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT > iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT > iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT > iptables -P OUTPUT DROP > > > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
