On Monday 15 March 2004 1:28 pm, netfilter@xxxxxxxxx wrote:
> Is this a good and secure Firewall Script?
> echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding
Suggest you do this at the end, after setting up all the rules, instead of at
the beginning, when some packets might get forwarded before you're ready.
> iptables -F sperre
> iptables -X sperre
> iptables -N sperre
I notice you are calling this user-defined chain from both INPUT and FORWARD -
this means that all the protocols you allow *through* the firewall are also
accepted *to* it - is this what you want?
> iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j
> ACCEPT # Allow outbound only for specific ports
For example, the above rule is going to get called by both FORWARD and INPUT -
think about whether that's what you meant to set up.
> iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield
Did you mean "--dport 23000:23001"?
> iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT
Put this rule at the top of the chain, so it gets matched first - nearly all
of your traffic will match here, so make it efficient to process.
> iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.220
You have a VPN which uses protocol 37 (DDP: Datagram Delivery Protocol) ???
I think you mean 47: GRE.
> # Special Rules
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j
> ACCEPT
No need for this rule as packets will match on the INPUT rule above (unless
you meant eth1?)
> iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
Missing a "-i" there :)
> echo "Firewall started"
Good luck.
Antony.
--
Most people have more than the average number of legs.
Please reply to the list;
please don't CC me.
