I have that book too and I find it confusing. I answer some questions best I can. I'm a newbie too. As far as editing rules, iptables-save will save the current setup. So if you run your script, then add an additional set of rules and rerun iptables-save then your new file will contain all the rules combined. In the UNIX world, \ is commonly used as a line continuation. For example: iptables -A INPUT -p tcp -i eth0 \ -m multiport smtp,imap,pop3 -j ACCEPT would translate to: iptables -A INPUT -p tcp -i eth0 -m multiport smtp,imap,pop3 -j ACCEPT it's used for when one line is too long for the screen. the INTERNET things are for human readability and simplicity of change. It's an environment variable assignment. When you see the lines: PORTS="telnet,ftp,ssh,smtp" /sbin/iptables -A INPUT -p TCP -m multiport --dports $PORTS -j ACCEPT that is what YOU See. The command that is actually executed is: /sbin/iptables -A INPUT -p TCP -m multiport --dports telnet,ftp,ssh,smtp -j ACCEPT hope this helps! -- Dan ----- Original Message ----- From: "Bob Avery-Babel" <Bob@yellowbugcomputers.com> To: <netfilter@lists.netfilter.org> Sent: Tuesday, November 26, 2002 12:49 PM Subject: Still an IPTABLES newbie > Thanks to everyone for the tips on my last question. If anyone on this list > lives close to Columbia, MO, and would like to tutor me just give me a > holler. :-) Here are my new questions, after reading and re-reading the > first 128 pages of "Linux Firewalls" by Robert Ziegler. > > My setup is a RH 8 box with an internal and an external nic. I also run all > my services (ssh, http, samba) on this box, as I am poor and this is only a > test box. :-). I have set all of my initial policies to drop as was > suggested here. Now I've slowly been trying to learn how to add exceptions > and understand just how the rules are constructed. > > Many of the scripts I've looked at, and in Ziegler's book, they mention > "Symbolic Constants" that look like this: > > INTERNET="eth0" #Internet connected interface > > Does IPTABLES recognize things like this, or is this just a convention to > help humans read the rules easier? If I defined all of the symbolic > constants at the start, where in the iptables script would I specifically > put them? Is there a command line option to add them or do I edit the file > directly to add the constants? When I tried to add the constants to the > beginning of my script it errored out on me. > > Another question I have is how to add iptable rules. Usually when I set up > the first script I enter in the lines one at a time, and then when I've > added all of the lines I want I'll enter a command like: > > iptables-save > /etc/sysconfig/iptables > > Then I'll have a working iptables script. However, if I want to add > additional rules one by one at the cli and then do another iptables-save it > overwrites what I originally had. Are there easier options to do this, or is > it best just to edit the file itself? > > My third question is about the format of the examples Robert Zeigler gives > in his Linux Firewalls book. He writes all of his rules like this, without > any explanation as to why. I guess it is supposed to be obvious? For > example: > > iptables -A OUTPUT -o $INTERNET -p tcp \ > -m multiport --destination-port \ > $NFS_PORT,$OPENWINDS_PORT,$SOCKS_PORT,SQUID_PORT \ > --syn -j DROP > > Are these "\" just to indicate line breaks? Sorry if that is an obvious > question. oy! > > Final question for the month, I swear... > > In trying to understand forwarding the packets from my internal nic to my > public nic and vice versa. Do I need to make a rule for both inbound and > outbound traffic to each nic? > > For instance, to allow Samba traffic to flow, here is what I am thinking: > > Allow Internal network traffic to my internal nic card, does the traffic > need to flow to my public IP? I've only bound my samba server on my internal > nic and localhost. > > Do I need to put a rule in place that looks something like: > > -A OUTPUT -o eth1 -p tcp --sport 445 -j ACCEPT > #Anything headed outbound to the private nic, destined for port 445, Accept > > I don't think that is right, but it is kind of how I understand (or don't > understand) the concept. > > Thanks in advance to everyone! > > Bob > > > > >
