From: Mike <1100100@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Policy Misunderstanding: RTFM Guidance Requested.
Date: Wed, 1 Sep 2004 07:54:31 -0400 [thread overview]
Message-ID: <8ca42282040901045464650094@mail.gmail.com> (raw)
In-Reply-To: <3063e5040831212267c70f95@mail.gmail.com>
I have a linux box acting as router/firewall for my home network.
It runs Gentoo Linux, kernel 2.4.26 and iptables 1.2.10.
eth0 -> Internet
eth1 -> Lan
I thought I had seen others on this list discuss starting with a
completely closed router that denies all traffic - INPUT, OUTPUT, and
FORWARD; filter, nat, and mangle. Yet, when I reset my firewall
Policies to initially DROP all INPUT, OUTPUT, and FORWARD traffic, and
then append these policies with filter or nat rules, the policies
still overrule and stop all traffic.
I've read the man page a few times and have found a few tutuorials on
the net, but I'm still missing the fundamental understanding of how
policies do/do not affect iptables rules.
Can I get an RTFM push in the right direction on this subject.
Thanks for your time and patience.
Mike
Maybe I should post the firewall so you can see there are no glaring
errors in my syntax:
ENABLE_FORWARDING_IPv4="yes"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
$DEPMOD -a
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Flushing any pre-existing filter rules or conditions."
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
echo " Set the filter/nat/mangle packet Matching Table Policy."
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P OUTPUT DROP
$IPTABLES -t mangle -P INPUT DROP
$IPTABLES -t mangle -P OUTPUT DROP
$IPTABLES -t mangle -P FORWARD DROP
$IPTABLES -t mangle -P PREROUTING DROP
$IPTABLES -t mangle -P POSTROUTING DROP
echo " INPUT/OUTPUT Rules for Routerbox."
$IPTABLES -t filter -A INPUT -j ACCEPT
$IPTABLES -t filter -A OUTPUT -j ACCEPT
echo " FORWARD Rules for data allowed IN and OUT of the LAN."
$IPTABLES -t filter -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
echo " Allowing HTTP and SSH Access."
$IPTABLES -t filter -A INPUT -p tcp -i eth0 --dport 22 -m state
--state NEW -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp -i eth0 --dport 80 -m state
--state NEW -j ACCEPT
echo " Enabling NAT MASQUERADE."
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo " Prevent remote machines from spoofing internal IP addresses."
$IPTABLES -t filter -A INPUT -i eth0 -s 199.201.13.0/24 -j REJECT
echo " Do not respond to remote Pings."
$IPTABLES -t filter -A INPUT -p icmp --icmp-type echo-request -j DROP
next prev parent reply other threads:[~2004-09-01 11:54 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-01 1:01 Mail Server Behind IPTABLES Ajen Diwakar
2004-09-01 4:22 ` George Alexandru Dragoi
2004-09-01 11:54 ` Mike [this message]
2004-09-01 13:27 ` Policy Misunderstanding: RTFM Guidance Requested Deepak Seshadri
2004-09-01 15:46 ` Mike
2004-09-01 16:50 ` Jason Opperisano
2004-09-01 17:53 ` Mike
2004-09-01 17:38 ` Deepak Seshadri
2004-09-01 16:40 ` Mike
2004-09-01 14:44 ` Alistair Tonner
2004-09-01 16:20 ` Mike
2004-09-01 16:53 ` Alistair Tonner
2004-09-01 18:12 ` Mike
2004-09-01 16:43 ` Jason Opperisano
2004-09-01 14:50 ` Mail Server Behind IPTABLES Alistair Tonner
[not found] ` <1094054540.5456.16.camel@matevz.net>
2004-09-01 16:27 ` Alistair Tonner
2004-09-01 18:12 ` Matevz
2004-09-01 18:19 ` Jason Opperisano
2004-09-01 18:25 ` Jason Opperisano
2004-09-01 18:23 ` Alistair Tonner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ca42282040901045464650094@mail.gmail.com \
--to=1100100@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.