From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Barry Fawthrop <barry@ttienterprises.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: filtering ruleset help sought
Date: Mon, 15 Aug 2005 17:22:49 -0400 [thread overview]
Message-ID: <1124140969.21025.42.camel@localhost> (raw)
In-Reply-To: <430102F9.3070207@ttienterprises.org>
You may find it helpful to review a good tutorial on iptables. You can
find an excellent one at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
You can also find training slide shows (slightly dated) in the training
section of the ISCS network security management project
(http://iscs.sourceforge.net).
Basically, you will need the same rules in the FORWARD chain as in the
INPUT chain. You will also need a NAT rule, e.g.,
iptables -t nat -A POSTROUTING -o <ExternalIF> -s <Internal Network> -j
SNAT --to-source <ExternalIP>
On Mon, 2005-08-15 at 17:02 -0400, Barry Fawthrop wrote:
> Thanks John
>
> Yes I want this machine and every other machine on the LAN to be denied
> access to the Internet except to the sites or IPs listed
> in the allowed-hosts file
>
> So could you help what addionional rules would I need ?
>
>
>
> John A. Sullivan III wrote:
>
> >Hmm . . .looks a little strange. Do you want such access for this
> >specific device or for other devices on the internal network that use
> >this device as a gateway? The INPUT and OUTPUT chains will only handle
> >traffic to and from this device.
> >
> >I would suggest you use connection tracking and you may find it easier
> >to use DROP policies. Thus:
> >
> >$IPT -t filter -P INPUT DROP
> >$IPT -t filter -P OUTPUT DROP
> >$IPT -t filter -P FORWARD DROP
> >$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >Then you can allow the outbound access including the protcol:
> >
> >while read s1 s2
> > do
> > $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
> > $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> > done < /allowed-hosts
> >
> >
> also what is the -p 6 ???
>
> >If you want to allow other devices to access these sites through this
> >device, you will need rules in the FORWARD chain and probably an SNAT
> >rule in the nat table POSTROUTING chain. Good luck - John
> >
> >
> Thanks
> Barry
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
next prev parent reply other threads:[~2005-08-15 21:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III
2005-08-15 21:02 ` Barry Fawthrop
2005-08-15 21:22 ` John A. Sullivan III [this message]
2005-08-17 5:40 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1124140969.21025.42.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=barry@ttienterprises.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.