From: "Karina Gómez Salgado" <kgs@acabtu.com.mx>
To: Antony Stone <Antony@Soft-Solutions.co.uk>
Cc: "netfilter@lists.samba.org" <netfilter@lists.samba.org>
Subject: Re: Slow performance - Trouble with IPtables rules
Date: Wed, 03 Jul 2002 17:01:05 -0500 [thread overview]
Message-ID: <3D237421.3BEF05BD@acabtu.com.mx> (raw)
In-Reply-To: 20020703190025.HRSB16050.mta01-svc.ntlworld.com@there
I tought to restrict IP Class subnets in the interfaces, but i tought to do it
later.
What i want to implement is a simple gateway to the Internet for the internal
network, i don't want masquerading or a complex firewall. I only want to give
internet access to the LAN, and force a Squid transparent proxy. (i have the
redirect rule commented , but i tested before and it seems to work).
So basically ,and before the squid redirection, i want to give internet access
to my lan without masq, without filters. This rules seems to work but not in the
optimal way because there are delays in the display of the web pages, the email
downloading etc., even with only 1 or 2 computers connected in the lan.
I hope that i could to explain it .
Thanks for all your help,
KarinaI
Antony Stone wrote:
> On Wednesday 03 July 2002 7:41 pm, Karina Gómez Salgado wrote:
>
> > The rules i'm using are these:
> > --------------------------------
> >
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -P OUTPUT DROP
> > $IPTABLES -P FORWARD DROP
> >
> > $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v
>
> So, you're setting a default policy of DROP on INPUT, FORWARD and OUTPUT -
> very good.
>
> Then, you're allowing absolutely everything in, from anywhere, you're
> allowing absolutely everything out, to anywhere, you're forwarding everything
> from the outside to the inside, and you're forwading everything from the
> inside to the outside.
>
> This is not a firewall, this is a complex way to plug the Internet into your
> network.
>
> What do you want to allow, and what do you want to block ? These rules ar
> doing nothing for you.
>
>
>
> Antony.
--
Karina Gómez
prev parent reply other threads:[~2002-07-03 22:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-03 18:41 Slow performance - Trouble with IPtables rules Karina Gómez Salgado
2002-07-03 19:00 ` Ramin Alidousti
2002-07-03 21:49 ` Karina Gómez Salgado
2002-07-03 19:00 ` Antony Stone
2002-07-03 22:01 ` Karina Gómez Salgado [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D237421.3BEF05BD@acabtu.com.mx \
--to=kgs@acabtu.com.mx \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox