On Sunday 28 March 2004 9:31 am, IT Clown wrote: > Hi > > i have setup a local network users iptables as follow to > access webpages: > > :INPUT DROP [0:0] > > -A INPUT -i eth0 -p tcp -m multiport --sport 80,8080 -j ACCEPT Let's just look at the above two rules I have extracted from your ruleset. The first says "default policy is to drop all incoming packets" (good idea). The second says "accept all TCP packets coming in through eth0 from any address to any service providing the source port is 80 or 8080" (not such a good idea). This will allow anything to connect to anything it can find (or run a port scan etc) so long as the remote system uses source port 80 or 8080. > I would like to know the way i set it up is it correct or is there a better > way.The client can browse. I really would recommend you do what was suggested to you on Friday by David Cannings: > There are three things I would suggest. The first is reading two > tutorials on http://www.netfilter.org/documentation/index.html - > specifically the "packet filtering HOWTO" and the "NAT HOWTO". > > The second is Oskar's excellent iptables tutorial, at > http://iptables-tutorial.frozentux.net/iptables-tutorial.html. > > The third is taking a while to work out what ports the services you > mention work on. A basic feel for how TCP/IP connections work would help > too. The knowledge that in most cases a client chooses a port >1024 and > connects to the service port should suffice. People on the list could > easily list the ports you need to allow or deny but you'll learn a > tremendous amount by spending 10 minutes working it out. Regards, Antony. -- The first fifty percent of an engineering project takes ninety percent of the time, and the remaining fifty percent takes another ninety percent of the time. Please reply to the list; please don't CC me.
