iptables questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> I tried running endoshield, and got a ton of errors.

When I first started using endoshield, I found the errors I got were
the result of not configuring all the iptables stuff during my kernel
config. So, your best bet in my humble opinion is to include all the
iptables, nat, and connection tracking stuff as modules, and tying
endoshield again. You could also post your errors, so we can see if a
lack of modules is the case here, or if it's something else.

> So, now I will try to do it manually. I'm going through a tutorial now, and I have a coupel questions.
> I can do the following.
> iptables -A INPUT -p tcp -dport 2200 -j queue
> iptables -A INPUT -p tcp -sport 2200 -j queue
> to allow for the traffic on port 2200 to go through. I think.

I've never used the queue target, so I can't help you here. I can only
tell you that when I want to open a port, I use the ACCEPT target to
do so.

> But, lets say I create a rule for each port. The ones I want to allow, and the ones I don't want to allow.
> I think I can use a -s to make it only local if I want.
> Then, how would I block the ports that I haven't created rules for?

Off the top of my head, without looking at the iptables docs, or at
the endoshield script, I believe you use the DROP target on the entire
input chain, and below that, use the ACCEPT target on the ports you
want to open. I do however stand to be corrected here.

> next, if I set up the box as a DMZ, in front of the router, is there a way that I can make it manage all traffic coming in and out of the network? Just like the router would?

Yes, this is called ip masquerading, and endoshield is a good example
of how it's done. Also note that if you intend to share your
connection with multiple machines, your main machine will need 2
network cards, one from the router to the pc, and the other from the
pc to the switch/hub that your other machines are connected to.

Greg




- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager at EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
78FEqOYvuvSIEOYuM8Ic3M4=
=MPIm
-----END PGP SIGNATURE-----




[Index of Archives]     [Linux for the Blind]     [Fedora Discussioin]     [Linux Kernel]     [Yosemite News]     [Big List of Linux Books]
  Powered by Linux