Hi I have just finished reading netfilter howto and im just over halfway with Oskar Andreasson's tutorial.Here is my rule again does this look correct? *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -i eth0 -s 192.168.0.1 -p tcp -d 192.168.0.11 -m multiport --sport 80,8080 -j ACCEPT -A INPUT -i eth0 -s 192.168.0.1 -p tcp -d 192.168.0.11 --sport 53 -j ACCEPT -A OUTPUT -o eth0 -d 192.168.0.1 -p tcp -s 192.168.0.11 -m multiport --dport 80,8080 -j ACCEPT -A OUTPUT -o eth0 -d 192.168.0.1 -p udp -s 192.168.0.11 --dport 53 -j ACCEPT COMMIT 192.168.0.1 is my firewall and proxy. Regards On Sun, 28 Mar 2004 09:48:45 +0100 Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote: > On Sunday 28 March 2004 9:31 am, IT Clown wrote: > > > Hi > > > > i have setup a local network users iptables as follow > to > > access webpages: > > > > :INPUT DROP [0:0] > > > > -A INPUT -i eth0 -p tcp -m multiport --sport 80,8080 -j > ACCEPT > > Let's just look at the above two rules I have extracted > from your ruleset. > > The first says "default policy is to drop all incoming > packets" (good idea). > > The second says "accept all TCP packets coming in through > eth0 from any > address to any service providing the source port is 80 or > 8080" (not such a > good idea). > > This will allow anything to connect to anything it can > find (or run a port > scan etc) so long as the remote system uses source port > 80 or 8080. > > > I would like to know the way i set it up is it correct > or is there a better > > way.The client can browse. > > I really would recommend you do what was suggested to you > on Friday by David > Cannings: > > > There are three things I would suggest. The first is > reading two > > tutorials on > http://www.netfilter.org/documentation/index.html - > > specifically the "packet filtering HOWTO" and the "NAT > HOWTO". > > > > The second is Oskar's excellent iptables tutorial, at > > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html. > > > > The third is taking a while to work out what ports the > services you > > mention work on. A basic feel for how TCP/IP > connections work would help > > too. The knowledge that in most cases a client chooses > a port >1024 and > > connects to the service port should suffice. People on > the list could > > easily list the ports you need to allow or deny but > you'll learn a > > tremendous amount by spending 10 minutes working it > out. > > Regards, > > Antony. > > -- > The first fifty percent of an engineering project takes > ninety percent of the > time, and the remaining fifty percent takes another > ninety percent of the > time. > > Please > reply to the list; > > please don't CC me. > > __________________________________________________________________________ http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
