I suggest you take a tour through Oskar Andreasson's excellent tutorial. You can find a link to it in the tutorials section of the netfilter web site. There is also a training slide show in the training section of http://iscs.sourceforge.net - John On Thu, 2004-06-24 at 08:33, Steve Comfort wrote: > Hi gents, > > About all I've done so far is cross-compile iptables for an XScale ARM > based system. And of course read the FAQ a few times, but its still > pretty much Greek to me :) I found the attached script which seemed like > a good place to start. > > Running it produces the output below : > > iptables v1.2.: can't initialize iptables table `ACC': Table does not > exist (do you need to run insmod. Perhaps iptables or your kernel needs > to be upgraded. > iptables v1.2.: can't initialize iptables table `ACC': Table does not exist > iptables v1.2.: can't initialize iptables table `ACC': Table does not > exist . > iptables v1.2.: Can't use -N with -A > > Try `iptables -h' or 'iptables --help' for more information. > /sbin/firewall: -A: command not found > > As far as I know, the kernel has been compiled with ip filtering turned > on (I can send the options that I've checked if this would help?). > > Question 1: What is table ACC? Perhaps ACCEPT truncated (for some > unknown reason) ? > > Question 2: If I want to start off by writing my own extremely simple > tables, where should these be stored, or is there a way to tell iptables > where to look for them? > > Running iptables -L -v, produces the following : > > Chain INPU (policy DROP 0 packets, 0 bytes > pkts byte targ prot opt sour destinat > > 0 0 ACCE -- anywhere anywhere > > 0 0 DROP icmp -- anywhere anywhere > > 52 4744 ACCE -- ixp1 192.168.200. anywhere > > 0 0 RETU -- anywhere anywhere > > > Chain FORW (policy DROP 0 packets, 0 bytes > pkts byte targ prot opt sour destinat > > 0 0 DROP icmp -- anywhere anywhere > > > Chain OUTP (policy DROP 14 packets, 8600 bytes > pkts byte targ prot opt sour destinat > > 0 0 ACCE -- anywhere anywhere > > 0 0 DROP icmp -- anywhere anywhere > > 30 4168 ACCE -- ixp1 anywhere > 192.168.200. > > 0 0 RETU -- anywhere anywhere > > It seems the table names are being truncated here to 4 characters ?? > > Best regards > Steve Comfort > > > > > ______________________________________________________________________ > #!/bin/sh > # > # Incoming / \ Outgoing > # -->[Routing ]--->|FORWARD|-------> > # [Decision] \_____/ ^ > # | | > # v ____ > # ___ / \ > # / \ |OUTPUT| > # |INPUT| \____/ > # \___/ ^ > # | | > # `----> Local Process ----' > > # lan interface > iface=ixp1 > > # lan network > network=192.168.200.0/24 > > # path to iptables > ipt=/sbin/iptables > > ############## > ## Defaults ## > ############## > > for i in filter nat mangle; do > # flush all tables > $ipt -t $i -F > > # zero counters > $ipt -t $i -Z > > # delete user-defined chains > $ipt -t $i -X > done > > # default policy > $ipt -P INPUT DROP > $ipt -P OUTPUT DROP > $ipt -P FORWARD DROP > > ############## > ## Loopback ## > ############## > $ipt -A INPUT -i lo -j ACCEPT > $ipt -A OUTPUT -o lo -j ACCEPT > > ########## > ## ICMP ## > ########## > > # we allow all ICMP types, but only at a reasonable rate so > # that we don't get flooded. > > for i in INPUT OUTPUT FORWARD; do > # accept up to 100 unfragmented icmp packets per second > $ipt -A $i -p icmp ! -f -m limit --limit 100/second -j ACCEPT > > # drop any other icmp packets > $ipt -A $i -p icmp -j DROP > done > > ################################## > ## Traffic to/from the firewall ## > ################################## > > # this can come before all the other stuff because we're very > # paranoid regarding traffic destined/originating from ourselves. > > # allow traffic to/from the lan > $ipt -A INPUT -i $iface -s $network -j ACCEPT > $ipt -A OUTPUT -o $iface -d $network -j ACCEPT > > # allow traffic originating from pris > $ipt -A INPUT -i ! $iface -m state --state ESTABLISHED,RELATED -j ACCEPT > $ipt -A OUTPUT -o ! $iface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > for i in INPUT OUTPUT; do > # we're done here > $ipt -A $i -j RETURN > done > > ######################### > ## Traffic to/from LAN ## > ######################### > > # allow all traffic originating from us > $ipt -A FORWARD -i $iface -s $network -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $ipt -A FORWARD -o $iface -d $network -m state --state ESTABLISHED,RELATED -j ACCEPT > > > # allow ssh, ident, smtp, http, https from anywhere > #for i in 22 110 113 25 80 443 3128; do > # $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i --syn -m state --state NEW -j ACCEPT > # $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT > # $ipt -A FORWARD -o $iface -s $network -p tcp --source-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT > #done -- Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevelopmentcorp.com
