From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Barry Fawthrop <barry@ttienterprises.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: filtering ruleset help sought
Date: Mon, 15 Aug 2005 17:22:49 -0400 [thread overview]
Message-ID: <1124140969.21025.42.camel@localhost> (raw)
In-Reply-To: <430102F9.3070207@ttienterprises.org>
You may find it helpful to review a good tutorial on iptables. You can
find an excellent one at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
You can also find training slide shows (slightly dated) in the training
section of the ISCS network security management project
(http://iscs.sourceforge.net).
Basically, you will need the same rules in the FORWARD chain as in the
INPUT chain. You will also need a NAT rule, e.g.,
iptables -t nat -A POSTROUTING -o <ExternalIF> -s <Internal Network> -j
SNAT --to-source <ExternalIP>
On Mon, 2005-08-15 at 17:02 -0400, Barry Fawthrop wrote:
> Thanks John
>
> Yes I want this machine and every other machine on the LAN to be denied
> access to the Internet except to the sites or IPs listed
> in the allowed-hosts file
>
> So could you help what addionional rules would I need ?
>
>
>
> John A. Sullivan III wrote:
>
> >Hmm . . .looks a little strange. Do you want such access for this
> >specific device or for other devices on the internal network that use
> >this device as a gateway? The INPUT and OUTPUT chains will only handle
> >traffic to and from this device.
> >
> >I would suggest you use connection tracking and you may find it easier
> >to use DROP policies. Thus:
> >
> >$IPT -t filter -P INPUT DROP
> >$IPT -t filter -P OUTPUT DROP
> >$IPT -t filter -P FORWARD DROP
> >$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >Then you can allow the outbound access including the protcol:
> >
> >while read s1 s2
> > do
> > $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
> > $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> > done < /allowed-hosts
> >
> >
> also what is the -p 6 ???
>
> >If you want to allow other devices to access these sites through this
> >device, you will need rules in the FORWARD chain and probably an SNAT
> >rule in the nat table POSTROUTING chain. Good luck - John
> >
> >
> Thanks
> Barry
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
next prev parent reply other threads:[~2005-08-15 21:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III
2005-08-15 21:02 ` Barry Fawthrop
2005-08-15 21:22 ` John A. Sullivan III [this message]
2005-08-17 5:40 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1124140969.21025.42.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=barry@ttienterprises.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox