On Tue, 27 May 2003, M. Fioretti wrote:
>... for a shrike PC with:
> dialup connection, dynamic IP on ppp0
> other local PCs connected through eth0
>
>if one wants:
> no service whatsoever provided to the outside world
> all kind of local traffic among that PC and all the others on the
> LAN
> all other PCs on the LAN be able to initiate and run whatever they
> want on the internet: IM, FTP, telnet, web surfing, audio/video
> streaming...
>
>#+---------------------------------------------------------------------------+
>modprobe ipt_MASQUERADE # If this fails, try continuing anyway
>iptables -F; iptables -t nat -F; iptables -t mangle -F
# set the default policies on the chains to drop
iptables -P INPUT -j DROP;
iptables -P OUTPUT -j DROP;
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>echo 1 > /proc/sys/net/ipv4/ip_forward
>#+---------------------------------------------------------------------------+
>#
># Then to secure it:
># for a dial-up connection (with eth0 as the internal network card):
>#+---------------------------------------------------------------------------+
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
>iptables -P INPUT DROP #only if the first two are succesful
I think that's if the first two are UN-succesful? Not that it makes
much difference, just clarifying.
>iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
Why not use DROP here instead of REJECT? Also if you set the default
policy before hand then you wouldn't need to do this I think.
I think the method is supposed to be "set defaults to drop, then only
allow through what you want".
Oisin Feeley
