Re: setting up a firewall from scratch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Mansour Al-Aqeel a écrit :

I'm a new to iptables,
So I strongly suggest that you read the "Packet Filtering HOWTO" from the www.netfilter.org documentation page. 


All I need at this point is to disable any connection attempt from
out side ($WAN) and enable everything on the ($LAN) side
By doing so, you will block the replies to packets you send. Is this really what you want ? 


#delete all the existing rules from all chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD


'iptables -F' does the same in a sigle command.


#set the default policy on the external interface not to accept anything
iptables -P INPUT -i $WAN -j REJECT  # dont let anything coming from
outside
iptables -P OUTPUT -i $WAN -j ACCEPT # let anything go out
iptables -P FORWARD -i $WAN -j REJECT # dont forward anyhting from
outside to inside
Syntax error. A default policy applies to a whole chain, it can't apply to only an interface. Also, REJECT is not a valid default policy, you can only use DROP or ACCEPT. 


#######################################
## allow everyThign internally
#######################################
iptables -f filter -A INPUT -i $LAN -j ACCEPT
iptables -f filter -A INPUT -o $LAN -j ACCEPT
Syntax error. The table is specified by option -t. Option -f is to match fragments. Also, you can't have a -o option (output interface) in an INPUT chain. 


iptable  -A OUTPUT -i $LAN -j ACCEPT
iptable -A OUTPUT -o $LAN -j ACCEPT
Syntax error. It's iptables, not iptable. Also, you can't have a -i option (input interface) in an OUTPUT chain. 


####forward internally through the br0
iptables -f filter -A FORWARD -i $LAN -j ACCEPT
iptables -f filter -A FORWARD -o $LAN -j ACCEPT
-f mistake again. There is not a single correct rule in your script, so I'm not surprised that it blocks everything.
iptables targets act on individual packets, not on connections. If you block anything coming from the outside, you block the replies to the packets you send.
If you want to filter connections, your rules should use connection tracking state match (-m state --state ESTABLISHED,RELATED) to accept replies but reject new connection requests from the outside.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux