* iptables basics
@ 2005-05-07 6:09 varun_saa
2005-05-07 15:05 ` Jason Opperisano
0 siblings, 1 reply; 2+ messages in thread
From: varun_saa @ 2005-05-07 6:09 UTC (permalink / raw)
To: netfilter
Hello,
My server is om Mandrake 10.1
eth0 is WAN with static IP connected to 512K DSL.
eth1 is LAN - 192.168.0.0/24 , 192.168.21.0/24
I and doing a nat on eth0 as follows :
# Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
What are the first rules that one would
write.I mean how and where to start.
What are the first rules that one would write.
Do you start by blocking all ? Or allow all ?
I am asking this just from the point of view
of understanding the basic strategy.
Basically clients will surf the net,
send/recieve mails and MSN/yahoo chat.
I would be using squid proxy.
Thanks
Varun
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: iptables basics
2005-05-07 6:09 iptables basics varun_saa
@ 2005-05-07 15:05 ` Jason Opperisano
0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2005-05-07 15:05 UTC (permalink / raw)
To: netfilter
On Sat, May 07, 2005 at 11:09:02AM +0500, varun_saa@vsnl.net wrote:
> Hello,
> My server is om Mandrake 10.1
> eth0 is WAN with static IP connected to 512K DSL.
> eth1 is LAN - 192.168.0.0/24 , 192.168.21.0/24
>
> I and doing a nat on eth0 as follows :
>
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> What are the first rules that one would
> write.I mean how and where to start.
>
> What are the first rules that one would write.
> Do you start by blocking all ? Or allow all ?
> I am asking this just from the point of view
> of understanding the basic strategy.
>
> Basically clients will surf the net,
> send/recieve mails and MSN/yahoo chat.
> I would be using squid proxy.
opie's 3-line guide to emulating a cisco PIX default config:
#!/bin/sh
INSIDE_IF="eth1"
OUTSIDE_IF="eth0"
OUTSIDE_IP=`ip -4 -o addr sh $OUTSIDE_IF | awk '{print $4}' | cut -d"/" -f1`
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INSIDE_IF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INSIDE_IF -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $OUTSIDE_IF \
-j SNAT --to-source $OUTSIDE_IP
sysctl -w net.ipv4.ip_forward=1
that's where i'd start--it's pretty wide-open, but it's probably better
than nothing.
i also recommend reading:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
-j
--
"Stewie: Baby needs to suck ash. Baby needs to suck ash. Not ass,
you pervert. Save it for the interns."
--Family Guy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-05-07 15:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-07 6:09 iptables basics varun_saa
2005-05-07 15:05 ` Jason Opperisano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox