On Wed, 2004-12-15 at 12:16, Jason Williams wrote: > >Welcome to netfilter/iptables - it's a fabulous product. You do indeed > >seem to know what you are doing. I'll make some comments in your text. > > Thanks for the welcome. I am quite intrigued with iptables. Definitely > different and a new thing to learn. > > <snip> > > > #Simple NAT setup > > > > > > $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP > > This should be correct for my NAT setup on my private LAN correct? Think > so, just want to double check. Yes, that looks fine. You could further constrain it by -s $LAN_IP but I don't think it's necessary. > > > > > > > # Accept the packets we actually want to forward > > > > > > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT > > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG > > > --log-level DEBUG --log-prefix "IPT FORWARD packet died: " > > > > > > # INPUT chain > > > > > > $IPTABLES -A INPUT -p tcp -j bad_tcp_packets > >Since you're not accepting any packets on the INPUT chain, you don't > >need to filter bad packets unless you want to log them. Are you sure > >you don't want to accept RELATED,ESTABLISHED traffic on your INPUT > >chain? > > Hmm. Good point. Just to make sure I follow, even though I am not accepting > any packets on the input chain, traffic from the private LAN still should > traverse through the firewall and back correct? Assuming that is correct, > then the problems i would have then would be the loopback interface (stuff > like X windows, subsystems) and also when the host itself tries to call the > interent for patches, packages etc. Is that a correct assumption? Yes, exactly. > > > > > > > > > > # OUTPUT chain > > > > > > $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets > >Are you expecting bad packets on your OUTPUT chain? > > > > > > # > > > # Special OUTPUT rules to decide which IP's to allow. > > > # > > > > > > $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT > > > $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT > >I believe you can drop the -p ALL. What about traffic on lo? > > Yep. Forgot the Loopback interface. > > I will be pouring over my book and how-to's today. > just a quick question. Is there a website, other than the netfiler website > that has some sample table scripts? I'd like to see just a few examples of > simple iptable scripts so I can further wrap my head around this. > My intentions with this first script was to put a simple firewall script > that would block my private lan, do NAT and of course, pass out traffic to > and from the private LAN. <snip> I've always found Oskar Andreasson's tutorial very helpful and it includes a number of scripts (http://iptables-tutorial.frozentux.net/iptables-tutorial.html). I think there are some sample scripts on the Shorewall site (http://www.shorewall.net) and there are a few slide shows on http://iscs.sourceforge.net Good luck - John -- John A. Sullivan III Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevel.com
