From: "Alexander W. Janssen" <yalla@ynfonatic.de>
To: Pablo Allietti <pablo@lacnic.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: Re2: How to block all ports except port 21,22,80,8080 ???
Date: Tue, 18 Feb 2003 20:51:04 +0100 [thread overview]
Message-ID: <20030218195104.GC23914@ynfonatic.de> (raw)
In-Reply-To: <20030218121919.GA11554@omega.lacnic.net.uy>
[-- Attachment #1: Type: text/plain, Size: 1900 bytes --]
On Tue, Feb 18, 2003 at 03:19:19PM +0300, Pablo Allietti wrote:
> who is the line to permit all inside to outside??
None of them. You got to differ between to different topics: The traffic
originating on the firewall itself and the forwarded traffic.
If traffic originates on the firewall it will leave the machine through the
OUTPUT chain. Traffic which is destined for the firewall itself will enter the
machine through the INPUT chain. This is what you did. To be correct, there is
a problem: Even if you allow traffic leaving the box through the OUTPUT chain,
you have to permit the answers to that traffic to *enter* the firewall again.
Therefore you should include that line into you firewall-skript, preferably as
the first statement in the INPUT-chain, since is the most used rule ever:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Explaining that rule is somewhat beyond the scope of this email, but i suggest
you reading one of the tutorials at [1].
Traffic which is forwarded by the firewall is filtered in the FORWARD chain.
So, for example, if your internet-interface is eth0 and your internal
interface is eth1 and you just want to allow the internal machines accessing
the ouside world, you would to something like that:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset # everything else
iptables -A FORWARD -j REJECT # reject everything else
# with icmp-port-unreachable
# implicit DROP due to policy happens here
Alex.
[1] http://www.netfilter.org/documentation/index.html
--
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.
[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]
next prev parent reply other threads:[~2003-02-18 19:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-18 8:12 How to block all ports except port 21,22,80,8080 ??? jacob_chan
2003-02-18 8:57 ` Ralf Spenneberg
2003-02-18 9:30 ` Ralf Spenneberg
2003-02-18 10:15 ` Patrick Maartense
2003-02-18 12:45 ` Ralf Spenneberg
2003-02-18 13:40 ` How to Block MSN Miguel Amador L.
2003-02-18 15:49 ` Arnt Karlsen
2003-02-18 16:03 ` How to block all ports except port 21,22,80,8080 ??? Alexander W. Janssen
2003-02-18 12:19 ` Re2: " Pablo Allietti
2003-02-18 19:40 ` Alexander W. Janssen
2003-02-18 19:51 ` Alexander W. Janssen [this message]
2003-02-18 9:02 ` Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030218195104.GC23914@ynfonatic.de \
--to=yalla@ynfonatic.de \
--cc=netfilter@lists.netfilter.org \
--cc=pablo@lacnic.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox