Re: iptables filter rules Question??

Thu, 22 Jul 2004 19:04:27 -0700 

> Incoming from [EMAIL PROTECTED]:
>>
>> This is my rule set:
>>
>> 1 iptables -P INPUT DROP
>> 2 iptables -A INPUT -p icmp -j ACCEPT
>> 3 iptables -A INPUT -i lo -j ACCEPT
>> 4 iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
>> 5 iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>> 6 iptables -A INPUT -i ppp0 -p tcp -j REJECT --reject-with tcp-reset
>> 7 iptables -A INPUT -i ppp0 -p udp -j REJECT
>> 8 iptables -A INPUT -i ppp0 -j REJECT --reject-with
>> icmp-proto-unreachable
>>
>> 9  iptables -P FORWARD DROP
>> 10 iptables -P OUTPUT ACCEPT
>>
>> *********************************************************
>>
>> 1.) Line number five does not work, iptables complains when I issue that
>> rule.
>
> I use exactly the same rule here:
>
>   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>

Do you get this error or ... what does this error mean ...


EULER:~# iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables: No chain/target/match by that name
EULER:~#

>> 2.) The functionality I want from my firewall rule set is:
>>
>>       Deny all incoming traffic except, port 22 ssh and allow pings
>>
>>       Allow all outgoing traffic, as well as, it should be able to come
>>       back in if it originated from my box
>>
>> The above rule set did work when I had an ethernet connection on a
>> different network, but when I changed to dialup, I have problems getting
>> these to work.
>
> My situation is close, the exception being incoming ssh.  I do,
> however, allow incoming identd (handled by fauxident):
>
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -t filter -I INPUT -i ppp0 -m tcp -p tcp --dport 113 -j ACCEPT
> iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j LOG
> iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j DROP
> iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> --
> Any technology distinguishable from magic is insufficiently advanced.
> (*)               http://www.spots.ab.ca/~keeling
> - -
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to