iptabe order
Results 1 to 6 of 6

Thread: iptabe order

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    101

    iptabe order

    i have been reading around how to set up iptables to act as a firewall
    at the moment i have a very basic NAT script which works on boot up and allows my other computers to access the internet through a gateway box

    i would like to incoperate this into the nessacery firewall script

    my question is when i write the script does it matter where i put the 'filter' section and the 'nat' parts or does the position in the script make no difference??


    regards
    like life, this is a test

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    "order" only matter on the same table/chain.

    filter and nat are diferent tables so entry order on first doesnt affect entries on the second.

    if u need more help just add questions here. THere is a LOT of smart guys here on that subject.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    You might want to browse through this AO thread Linux Iptables firewall for a discussion on just such an issue.

    ( I’m drunk again, for good reason, but I think I remember this. ) The Nat-ing will be done first, in Prerouting. Remember, No filtering should be done in this table. Then the packets will pass through the appropriate filters ( or tables as you were ). If you are Nat-ing ( or masquerading ) these packets would then pass through the Forward table. Naturally, if you branch off the Forward table to something like a user created table named, say one named ICMP, it would traverse that, and if not “matched” would then go back to continue to traverse the Forward table until “matched” or it hits the default policy for the Forward table.

    If you read through and understand the above thread ( you have been using Iptables for over a year judging by your prior posts ) and understand how the packets travel through the tables then you should be able to answer your own question. When in doubt, list the table rules ( see the man pages for how to list them, and don’t forget to include line numbers, they help when debugging ).

    Just remember ... you may set up up excelent rules to protect your internal network on this gateway firewall box using the Forward tables, but if you don’t protect the box itself using the Input and Output tables your work could be for not!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    101

    what about DHCP

    am getting there on my firewall task, hope to post what i intend to use and then you guys can rip it to shreds and modify if need

    a question is if i have an isp which allocates my cable ip address via dhcp how do i set up my firewall script to take this into account otherwise after an update the firewall wont work??

    regards

    m
    like life, this is a test

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    allows dynamic address

    Any rules to filter that address could then be done on the interface.
    example: if the dynamic address was assigned to eth0 then you can apply filters to that ethernet, like
    iptables -A INPUT -i eth0 -p tcp --dport 514 -j LOG --log-level info --log-prefix "rsh_port_packet_incoming: "
    iptables -A INPUT -i eth0 -p tcp --dport 514 -j DROP


    did that answer your question?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    101

    yes

    yep i think it did

    nearly finished my first script and will put it here for scrutiny in the next few days!!!

    thans for the snippit

    these programmes are far to cleaver for their own good i can tell you!!

    regards

    M
    like life, this is a test

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •