Re: myfirewall help

[Jeffrey Laramie <jalaramie@Loudoun-Fairfax.com>]

varun_saa@vsnl.net wrote:
> 
> ----- Original Message -----
> From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
> Date: Thursday, January 27, 2005 8:27 pm
> Subject: Re: myfirewall help
> 
> 
>>On Thursday 27 January 2005 05:13, varun_saa@vsnl.net wrote:
>>
>>>Hello,
>>>      My server is Mandrake 10.1
>>>eth0 is WAN with static IP connected to 512k DSL
>>>eth1 is LAN
>>>
>>>I am trying to write iptables rules and I am
>>>stuck with some error.
>>>
>>>My iptable file is as follows :
>>>
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*nat
>>>
>>>:OUTPUT ACCEPT [0:0]
>>>:PREROUTING ACCEPT [0:0]
>>>:POSTROUTING ACCEPT [0:0]
>>>
>>>-A POSTROUTING -o eth0 -j MASQUERADE
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*mangle
>>>
>>>:PREROUTING ACCEPT [32056:3889577]
>>>:INPUT ACCEPT [32010:3885659]
>>>:FORWARD ACCEPT [0:0]
>>>:OUTPUT ACCEPT [31637:4617585]
>>>:POSTROUTING ACCEPT [31639:4618071]
>>>
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*filter
>>>
>>>:FORWARD ACCEPT [0:0]
>>>:INPUT DROP [0:0]
>>>:OUTPUT ACCEPT [0:0]
>>>
>>>-A INPUT -j ACCEPT
>>>-A INPUT -s 127.0.0.1 -j ACCEPT
>>>-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j 
>>
>>ACCEPT> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 
>>80 -j ACCEPT
>>
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>>
>>>When I am trying to save I get the following error :
>>>
>>>iptables-restore v1.2.9: Can't use -o with INPUT
>>
>>The error message gives you the answer. You can't use the -o 
>>parameter on the 
>>INPUT chain since by definition the destination is always the local 
>>host. 
>>Remove "-o eth0" from your rules.
>>
>>Jeff
> 
> 
> I am writing firewall rules for the first time.

We all have to start somewhere. You should read some documentation on 
iptables/netfilter to help you understand how the rules work and what 
they do. This is what I use:

http://iptables-tutorial.frozentux.net/chunkyhtml/index.html

>  
> I am writing rules using webmin -> networking -> linux firewall.

This is fine as long as your rules don't become too complex. If you 
start to have lots of rules you will find it easier to put them in a 
script. In a script you can add comments to explain the rules and you 
can run and edit the script from the command line which is faster than 
using webmin.

> 
> First what do you think of the rule.

I'm afraid it doesn't really do anything since that combination of 
source and destination ports is not likely to happen very often. In 
general when opening up ports for services you only need to specify the 
destination port. Something like this:

iptables -A INPUT -p udp -i eth1 --dport 3128 -j ACCEPT

This allows udp packets in to the host from eth1 on port 3128

> 
> Second is it Ok to just remove -0 eth0.

Yes, but the rule I listed above is more useful. Adding more parameters 
to a rule makes in narrower in scope. Add too many and the rule becomes 
useless. Read the tutorial and look and the example scripts. Then show 
us your rules and tell us what you are trying to do and we can try to help.

Jeff