Hi Anthony and all Thank you for reviewing my rule set and I kinda sorted out it out accordingly. If possible, could you please advise, forward a link or an example of what you mean by "very few FORWARD rules,". The intent of this machine is to be a gateway, link for me and my users to browse. access the internet. My connection is adsl. In terms of your 2nd option on the list, your 100% in that the default policy is DROP. Therefore, im I correct in understanding you that there is NO need for any of these DROP rules and that I only need ACCEPT \ FORWARD rules. thanks very much for your feedback, I really appreciate it. Kind Regards Brent Clark -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone Sent: Monday, July 19, 2004 11:37 AM To: iptables Subject: Re: Gateway \ FW On Monday 19 July 2004 9:49 am, Brent Clark wrote: > Hi all > > I once again ask if anyone would be so kind as to review my rules and, sure > some advice. > I also have a rule as such /sbin/iptables -A FORWARD -i eth1 -o eth0 -j > ACCEPT which looks very wrong to me, Why does it look very wrong to you? What's the problem with it? It seems to me to be a rule allowing any traffic from your internal network to the Internet - is that not what you want? A few other comments on your ruleset: 1. You have a LOT of INPUT and OUTPUT rules, and apparently very few FORWARD rules, and yet this machine seems to be acting as a gateway router to the Internet. 2. You have a lot of specific DROP rules (as well as a default DROP policy). Is there some good reason why you do not simply have specific ACCEPT rules for the traffic you *want* (the rules for which would presumably be much simpler and shorter than all the rules for the stuff you want to DROP), and then the default DROP policy? 3. You have a line near the top of your ruleset: "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT", and then about half way down: "/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT". The second is redundant, as the first will accept ESTABLISHED and RELATED packets no matter what the interfaces are. Regards, Antony. -- Bill Gates has personally assured the Spanish Academy that he will never allow the upside-down question mark to disappear from Microsoft word-processing programs, which must be reassuring for millions of Spanish-speaking people, though just a piddling afterthought as far as he's concerned. - Lynne Truss, "Eats, Shoots and Leaves" Please reply to the list; please don't CC me.
Attachment:
IP_FW_RULES
Description: Binary data
