From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: setting up a firewall from scratch
Date: Tue, 16 May 2006 13:54:11 +0200 [thread overview]
Message-ID: <4469BD63.2080707@plouf.fr.eu.org> (raw)
In-Reply-To: <1147740402.17757.261507231@webmail.messagingengine.com>
Hello,
Mansour Al-Aqeel a écrit :
> I'm a new to iptables,
So I strongly suggest that you read the "Packet Filtering HOWTO" from
the www.netfilter.org documentation page.
> All I need at this point is to disable any connection attempt from
> out side ($WAN) and enable everything on the ($LAN) side
By doing so, you will block the replies to packets you send. Is this
really what you want ?
> #delete all the existing rules from all chains
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
'iptables -F' does the same in a sigle command.
> #set the default policy on the external interface not to accept anything
> iptables -P INPUT -i $WAN -j REJECT # dont let anything coming from
> outside
> iptables -P OUTPUT -i $WAN -j ACCEPT # let anything go out
> iptables -P FORWARD -i $WAN -j REJECT # dont forward anyhting from
> outside to inside
Syntax error. A default policy applies to a whole chain, it can't apply
to only an interface. Also, REJECT is not a valid default policy, you
can only use DROP or ACCEPT.
> #######################################
> ## allow everyThign internally
> #######################################
> iptables -f filter -A INPUT -i $LAN -j ACCEPT
> iptables -f filter -A INPUT -o $LAN -j ACCEPT
Syntax error. The table is specified by option -t. Option -f is to match
fragments. Also, you can't have a -o option (output interface) in an
INPUT chain.
> iptable -A OUTPUT -i $LAN -j ACCEPT
> iptable -A OUTPUT -o $LAN -j ACCEPT
Syntax error. It's iptables, not iptable. Also, you can't have a -i
option (input interface) in an OUTPUT chain.
> ####forward internally through the br0
> iptables -f filter -A FORWARD -i $LAN -j ACCEPT
> iptables -f filter -A FORWARD -o $LAN -j ACCEPT
-f mistake again. There is not a single correct rule in your script, so
I'm not surprised that it blocks everything.
iptables targets act on individual packets, not on connections. If you
block anything coming from the outside, you block the replies to the
packets you send.
If you want to filter connections, your rules should use connection
tracking state match (-m state --state ESTABLISHED,RELATED) to accept
replies but reject new connection requests from the outside.
next prev parent reply other threads:[~2006-05-16 11:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-16 0:46 setting up a firewall from scratch Mansour Al-Aqeel
2006-05-16 11:54 ` Pascal Hambourg [this message]
2006-05-16 11:57 ` Tim Evans
2006-05-16 14:47 ` Dimitri Yioulos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4469BD63.2080707@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox