IP Tables: starting slowly..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hmm..  iptables itself isn't starting slowly, I'm slowly starting to
implement iptables.

I'm (finally..) migrating from ipchains, and would appreciate some
comment on my overall approach.

Context: dialup, ppp, source NAT/masquerading various boxen behind the
firewall/router, KRUD Linux 2.4-18.5 

1) I'm writing a minimal set of rules to account for every packet within
a specific chain, and not let any fall through to the default policy
-- which at the moment is ACCEPT -- after I'm certain there aren't any
packets dropping through to the policies, the default policies will
become DROP.

Good idea? Bad idea?

Example:

# OUTPUT:
/sbin/iptables -t filter -A OUTPUT \
 -o lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT \
 -o eth0 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT \
 -o ppp0 -j ACCEPT


2) Is a default DROP rule (a rule that will catch any/everthing)
irrelevant on the FORWARD chain?

3) Can someone point me to a quick lesson on logging? At the moment
I've got the following:

Module                  Size  Used by    Not tainted
ipt_MASQUERADE          2368   1  (autoclean)
ipt_state               1440   4  (autoclean)
iptable_filter          2656   1  (autoclean)
iptable_mangle          3040   0  (autoclean) (unused)
ipt_LOG                 4544   0  (unused)
iptable_nat            20948   1  [ipt_MASQUERADE]
ip_conntrack           21484   2  [ipt_MASQUERADE ipt_state iptable_nat]
ip_tables              14176   8  [ipt_MASQUERADE ipt_state iptable_filter iptable_mangle ipt_LOG iptable_nat]
<snip>

so I think I've got a start, but have no clue as to the rules needed.

TIA..


- John
-- 
"Obviously, we do not want to leave zombies around."


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux