Hi Pete, Thanks for the rules, I think I see what I missed, which I believe is the forwarding rule from the lan. I'd still like to check out firestarter, just to see what it does, and learn yet another tool. :-) Is there a good place to find it? Thanks, -Bob > Hi, > I have a similar fw (but 3 nics). > here is the basic sequence of the pertinent rules from my fw to let LAN > traffic out. Depending on your comfort level, using firestarter may be > preferred. These are only a few of a complete set. > # Default deny all inbound & forwards. > # probably just allow all out, your discretion, but if you deny all outbound > # you won't contribute to DD0S, just make last one DENY as well then > # allow the desired services out. > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > $IPTABLES -P OUTPUT ACCEPT > # outbound LAN connections are all masquaraded > $IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $LAN_RANGE -j MASQUERADE > # allow existing communications to continue > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > # forward > $IPTABLES -A FORWARD -i $LAN_IF -s $LAN_RANGE -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > # I end each section (input, forward, output) with log and drop, here the > # forward set > $IPTABLES -A FORWARD -m limit -j LOG --log-prefix "NetF FORWARD CHAIN: " > $IPTABLES -A FORWARD -j DROP > Of course, there should be other rules in place, but this should allow > successful outbound connections from your LAN. > Hope that helps. > -- > Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
