Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit :
> ..wrong snippet. ;-) Reread the thread, and you'll see both I
> and Cedric weren't to clear on that we meant to say, we _implied_
> things instead of actually _saying_ them
So, for the things to get clear, the whole script should be[1] :
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
-m tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as it's
an quasi-generic full match (i.e. nearly matches all packets).
[1] Note I did a typo in my
<1063363533.879.52.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> post,
it's FORWARD, not INPUT...
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
