Oops, guess my eyes were moving faster than my brain again. -----Original Message----- From: Alexey Fadyushin [mailto:[EMAIL PROTECTED] Sent: Sunday, August 31, 2003 12:29 PM To: [EMAIL PROTECTED] Subject: Re: IP tables help
Did you note the last line in the INPUT chain? The firewall will not accept anything not listed in the first two lines of the INPUT chain regardless of the default policy because the catch-all REJECT rule in the chain will be always used instead of the default policy. The default ACCEPT policy is just a precaution intended to be used when something happens during the loading of rules. In that case the REJECT or DROP default policy may prevent further communication with the machine if the rule which allows, for example, SSH and rules that folow it has not been loaded due to some error. Alexey Fadyushin Brainbench MVP for Linux http://www.brainbench.com Jason Staudenmayer wrote: > > I would change that 'INPUT ACCEPT' to DROP or else the firewall really isn't > a firewall since it will accept anything. > > -----Original Message----- > From: Alexey Fadyushin [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 31, 2003 11:42 AM > To: [EMAIL PROTECTED] > Subject: Re: IP tables help > > I think that the following configuration will help. > Put the following lines in /etc/sysconfig/iptables: > > *nat > :PREROUTING ACCEPT > :POSTROUTING ACCEPT > :OUTPUT ACCEPT > -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <YOUR EXTERNAL > ADDRESS HERE> > COMMIT > > *filter > :INPUT ACCEPT > :FORWARD ACCEPT > :OUTPUT ACCEPT > -A INPUT -i eth1 -j ACCEPT > -A INPUT -i eth0 -p tcp -m multiport --destination-port > ssh,http,ftp,ftp-data,smtp -j ACCEPT > -A INPUT -j REJECT > -A FORWARD -i eth0 -o eth1 -d 192.168.1.0/24 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT > -A FORWARD -j DROP > COMMIT > > Alexey Fadyushin > Brainbench MVP for Linux > http://www.brainbench.com > > Rudik Amirjanyan wrote: > > > > Hello > > In my small office we have local lan 192.168.1.0 and we have put a RH9 as > a > > router, and want to masquerade the local ip addreses of the network. The > > server has 2 interfaces, eth0 whit global IP adress, and eth1 192.168.1.1. > > we want to open only ssh, ftp, www, mail, ports from outsaid, and > everewhere > > from local lan. > > We have setup iptables, but do not know how to make it work. the question > > is, > > what entries must be in the /etc/sysconfig/iptables file to work the > > firewall properly. > > Any halp is appreciated. > > > > Thanks. > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED] > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
