-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 26 Jan 2003 01:47:11 -0500, Buck wrote: > I just followed the instructions in 'Red Hat Linux 8 For Dummies' to > setup a firewall. > > For some reason it doesn't work. > > The book uses an example for a modem, but I need to make it work for > an Ethernet. There is only one NIC in the computer and the LAN going > to the internet is connected to it. > > I tried it verbatim to the book and failed. Are you sure? If exactly that example is printed in the book, the book is crap. > One line has an error so I > changed it. The changed line is marked with an asterisk. > > iptables --flush > iptables --flush -t nat > iptables -A INPUT -j DROP > iptables -A OUTPUT -j DROP Basically, what each of the two commands above does at that position in the script, is putting a rule at the _beginning_ of a chain which drops all packets. It becomes clear when you use the long options: iptables --flush iptables --flush --table nat iptables --append INPUT --jump DROP iptables --append OUTPUT --jump DROP Both INPUT and OUTPUT chain are empty (flushed), so "--append" stores the next rule as the first rule in the chain. That rule tells the packet filter to drop everything. Any subsequent rules are not evaluated at all. > iptables -A OUTPUT -j ACCEPT -o lo > iptables -A INPUT j ACCEPT -i lo > * iptables -A INPUT -j ACCEPT -i lo > iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > When I turn off the firewall, I can access the internet, but with it > on, I cannot access the internet. Replace the two wrong rules with: iptables --policy INPUT DROP iptables --policy OUTPUT DROP That is what would make sense. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+M6dR0iMVcrivHFQRAgFqAJ96vQtSALFWL7dpXnbhdW49Am2zywCfYgoO fpH8owcdBb8dC695EC95RG4= =mD57 -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
