Hi, Am Mit, 2003-08-27 um 15.44 schrieb Alyn Ashworth: > I have a working iptables setup that uses the following script, and that I > would like to change to allow telnet connexions from the local network > (eth0) but nor from ppp0. Going where? To the firewall or the external network? > Can anyone suggest the best way to do this > (politely and in words of one sylable, please!), and I would also welcome > any other comments on my script.... > > #============================SCRIPT STARTS================================== > # Load modules > modprobe ip_tables > modprobe ip_conntrack > modprobe ip_conntrack_ftp > > # (1) Policies (default) > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > # (2) User-defined chain for ACCEPTed TCP packets - called okay > iptables -N okay > #next line would allow new connections > #iptables -A okay -p TCP --syn -j ACCEPT > iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A okay -p TCP -j DROP > > # (3) INPUT chain rules > > # Rules for incoming pakets from LAN > iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT Last rule allow telnet access to the firewall. > iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT > iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT You do not need the last rule. Replace the last two with: iptables -A INPUT -i lo -j ACCEPT You trust everything on loopback. > > #Rules for incoming packets from the Internet > > #Packets for established connexions > iptables -A INPUT -p ALL -i ppp0 -m state --state ESTABLISHED,RELATED -j > ACCEPT > > #TCP rules (not used as pres as no services running over net) > > #UDP rules > iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 53 -j ACCEPT > iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 2074 -j ACCEPT > iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 4000 -j ACCEPT > > #ICMP rules > iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 8 -j ACCEPT > iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 11 -j ACCEPT > > # (4) FORWARD chain rules > # Accept packets we want to forward > iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Last two rules allow telnet access to the internet. > # (5) OUTPUT chain rules > # only output packets with local addreses (no spoofing) > iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT > iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT > iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT I do not know who 192.168.0.88 is. If it is the firewall, then this rule allows the firewall to answer to telnet, dns, whatever requests. Anyway, you probably should add iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -m ACCEPT This allows the firewall to answer all valid (see above) requests. But I would strongly recommend to read some documents on (especially stateful) firewalling, to understand whats going on. > # (6) POSTROUTING chain rules > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
