-
August 27th, 2004, 09:24 PM
#1
Senior Member
iptabe order
i have been reading around how to set up iptables to act as a firewall
at the moment i have a very basic NAT script which works on boot up and allows my other computers to access the internet through a gateway box
i would like to incoperate this into the nessacery firewall script
my question is when i write the script does it matter where i put the 'filter' section and the 'nat' parts or does the position in the script make no difference??
regards
like life, this is a test
-
August 27th, 2004, 09:30 PM
#2
"order" only matter on the same table/chain.
filter and nat are diferent tables so entry order on first doesnt affect entries on the second.
if u need more help just add questions here. THere is a LOT of smart guys here on that subject.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 28th, 2004, 01:58 PM
#3
You might want to browse through this AO thread Linux Iptables firewall for a discussion on just such an issue.
( I’m drunk again, for good reason, but I think I remember this. ) The Nat-ing will be done first, in Prerouting. Remember, No filtering should be done in this table. Then the packets will pass through the appropriate filters ( or tables as you were ). If you are Nat-ing ( or masquerading ) these packets would then pass through the Forward table. Naturally, if you branch off the Forward table to something like a user created table named, say one named ICMP, it would traverse that, and if not “matched” would then go back to continue to traverse the Forward table until “matched” or it hits the default policy for the Forward table.
If you read through and understand the above thread ( you have been using Iptables for over a year judging by your prior posts ) and understand how the packets travel through the tables then you should be able to answer your own question. When in doubt, list the table rules ( see the man pages for how to list them, and don’t forget to include line numbers, they help when debugging ).
Just remember ... you may set up up excelent rules to protect your internal network on this gateway firewall box using the Forward tables, but if you don’t protect the box itself using the Input and Output tables your work could be for not!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 29th, 2004, 05:35 PM
#4
Senior Member
what about DHCP
am getting there on my firewall task, hope to post what i intend to use and then you guys can rip it to shreds and modify if need
a question is if i have an isp which allocates my cable ip address via dhcp how do i set up my firewall script to take this into account otherwise after an update the firewall wont work??
regards
m
like life, this is a test
-
August 30th, 2004, 09:25 AM
#5
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
allows dynamic address
Any rules to filter that address could then be done on the interface.
example: if the dynamic address was assigned to eth0 then you can apply filters to that ethernet, like
iptables -A INPUT -i eth0 -p tcp --dport 514 -j LOG --log-level info --log-prefix "rsh_port_packet_incoming: "
iptables -A INPUT -i eth0 -p tcp --dport 514 -j DROP
did that answer your question?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 30th, 2004, 05:59 PM
#6
Senior Member
yes
yep i think it did
nearly finished my first script and will put it here for scrutiny in the next few days!!!
thans for the snippit
these programmes are far to cleaver for their own good i can tell you!!
regards
M
like life, this is a test
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|