On Sun, 12 Oct 2014 15:20:27 +0100 Lisi Reisz <lisi.re...@gmail.com> wrote:
> > Quite. It is ALL there. I keep hoping that something will be the > basics for beginners (which is where we started on this thread). > Teaching notes for college sounded great. > You basically have two options, to use a firewall tool, or to hack a script yourself. The existing tools, last time I looked, aren't really that versatile, they are intended to make simple firewalls using a GUI. That's reasonable, because once you want something a bit unusual, any tool is likely to be no easier to use than the iptables commands themselves. I've (long ago) driven the 'sophisticated' Windows ISA firewall, and honestly, I'd rather have produced a list of iptables rules, when at least I'd have known for sure what was going on, and in what order. Did you try the horse's mouth, the creator of netfilter/iptables? These documents are fairly old, a few commands have changed, Debian now has a bit of infrastructure to help with maintaining the firewall, but this may help a bit. New concepts can be easier to deal with if you can try two or three different views, and the bits you understand in one view can shed light on obscure bits in another. http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-1.html Chapter 5 of the first document, all dozen or so lines of it, shows how simple an anything-out-nothing-in-except-replies firewall can be. Mr Russell has oversimplified a bit, you would generally need to make provision for packets from one localhost (lo) port to another, but that's only another line. There are plenty of other example scripts around, some with out-of-date commands, but that doesn't change the principles. You can learn much more quickly from an actual working script than by reading a dry list of options to the iptables command. A diagram, such as the one on this page, helps a lot: http://www.sibbald.com/unixutil/iptables-firewall.html The 'local process', by the way, represents the computer itself, and makes clear that the FORWARD chain applies only to packets that will never enter or leave the computer's own applications and will only be passed on from one network interface to another. The 'Network' at the top and bottom of the diagram means *all* physical and virtual interfaces. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141012171810.44a69...@jresid.jretrading.com
