On Tue, Feb 18, 2003 at 03:19:19PM +0300, Pablo Allietti wrote:
> who is the line to permit all inside to outside??
None of them. You got to differ between to different topics: The traffic
originating on the firewall itself and the forwarded traffic.
If traffic originates on the firewall it will leave the machine through the
OUTPUT chain. Traffic which is destined for the firewall itself will enter the
machine through the INPUT chain. This is what you did. To be correct, there is
a problem: Even if you allow traffic leaving the box through the OUTPUT chain,
you have to permit the answers to that traffic to *enter* the firewall again.
Therefore you should include that line into you firewall-skript, preferably as
the first statement in the INPUT-chain, since is the most used rule ever:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Explaining that rule is somewhat beyond the scope of this email, but i suggest
you reading one of the tutorials at [1].
Traffic which is forwarded by the firewall is filtered in the FORWARD chain.
So, for example, if your internet-interface is eth0 and your internal
interface is eth1 and you just want to allow the internal machines accessing
the ouside world, you would to something like that:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset # everything else
iptables -A FORWARD -j REJECT # reject everything else
# with icmp-port-unreachable
# implicit DROP due to policy happens here
Alex.
[1] http://www.netfilter.org/documentation/index.html
--
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.
Attachment:
pgp00338.pgp
Description: PGP signature
