Yowza,
I'm trying to set up a conservative INNER firewall for our public
workstations. Rules that, via NAT, will allow them to get out to the
Internet to their heart's content, but won't allow them to do much but
telnet to our catalog and pull port 80 requests from our web server WITHIN
our network
I've initially set up the firewall with dhcpd and think I've got a
problem with the OUTPUT statement. When I issue the rules below I get:
dhcpd: send_packet: Operation not permitted
Any hints?
Brett Charbeneau, Network Administrator Tel: 757-259-7750
Williamsburg Regional Library FAX: 757-259-7798
7770 Croaker Road [EMAIL PROTECTED]
Williamsburg, VA 23188-7064 http://www.wrl.org
## Change source addresses to 209.96.157.155.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 209.96.157.155
## Allow DHCP traffic to pass through to the eth1 network
iptables -A INPUT -s 192.168.5.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth1
-p udp --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -s 192.168.5.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -o eth1
-p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -s 192.168.5.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth1 -j
ACCEPT
iptables -A OUTPUT -s 192.168.5.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -o eth0
-j ACCEPT
## Makes passive FTP possible, but creates security hole as of 5/23/01
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Allow new traffic to be accepted from eth1
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# establish policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP
# log all dropped packets on eth1
iptables -A INPUT -p all -j LOG --log-level warning --log-prefix "IPT DROP: " -i eth1
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
