Regards Azeem
From: Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> Reply-To: netfilter@xxxxxxxxxxxxxxxxxxx To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: open ports Date: Sun, 16 May 2004 10:43:06 +0100
On Sunday 16 May 2004 10:22 am, azeem ahmad wrote:
> hi all
> i have a LAN environment. users from LAN connect to internet via my linux
> box. on this box iptables firewall runs. what ports should i open to allow
> users to get all the services like all chat rooms and yahoo, msn messengers
> and browsing http/ftp etc
1. Start with the following ruleset
iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j LOG
2. Get one of your LAN machines to attempt a connection to something you want
to be allowed (eg: web borwsing).
3. Look at the LOG entries to see what packets tried to get through the firewall (just before DROPped by the default policy).
4. Add a rule, between the two rules given above, to allow that type of traffic (eg: for web browsing: iptables -I 2 FORWARD -i $intIF -p tcp --dport 80 -j ACCEPT)
5. Read one of the networking tutorials from http://www.netfilter.org to get a
better understanding of what network protocols should always be allowed (eg:
both types of DNS), and how to find out what port numbers etc are used by the
services you want to allow through the system.
Regards,
Antony.
-- If you can't find an Open Source solution for it, then it isn't a real problem.
Please reply to the list;
please don't CC me.
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
