On Wednesday 04 August 2004 4:00 am, david wrote: > Dear Antony, > I agree with you, i must block all traffic and accept one-by-one rules that > i want, but the problem is i don't know how to do this 1. Here's the basic idea: iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -j LOG These rules mean "DROP any packets which I don't have a rule to ACCEPT, then ACCEPT all packets except the first of any connection, then ACCEPT the first packets for web browsing and DNS, then LOG any other packets which try to get through." 2. The important part of the above ruleset, for someone like you who is not quite sure what rules to use to ACCEPT the packets you want (and you don't want to default DROP any packets by omission), is the final LOG rule. That rule will tell you what packets are trying to get through the ruleset, but haven't been ACCEPTed by one of the previous rules - and you may want to add a rule to specifically ACCEPT some of them. Of course, you may *not* want to accept some of them either, so you're happy for those to continue being DROPped. In that case (packets you know that you don't want), the next refinement of the ruleset is: 3. Add some specific DROP rules just before the final LOG rule, so that the packets you know about and do not want get DROPped without being logged. The final outcome of this is a ruleset which: a) ACCEPTs the packets you know you want b) DROPs the packets you know you don't want c) LOGs any other packets you haven't thought about or weren't expecting As you can see, you can build such a ruleset gradually - if you don't want to disrupt communications through the firewall as you do it, just leave the default policy on ACCEPT as you add the specific ACCEPT rules, and then once you have no more wanted packets being DROPped, you can set the policy to DROP and concentrate on cutting down what gets LOGged. I do recommend studying one of the netfilter tutorials such as Oskar Andreasson's at http://iptables-tutorial.frozentux.net so that you get a better understanding of how packets make their way through netfilter, and also what packets are necessary for correct and efficient operation of a network (some of them may be non-obvious, such as TCP DNS in my mini-ruleset above, or certain types of ICMP packets etc). Regards, Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer Please reply to the list; please don't CC me.
