I described the easiest method. It is usually considered insecure to have all policies of ACCEPT. However, if you use corectly configured server daemons and do not run services that you don't need, such a simple configuration should be secure. More secure method is, as I wrote eerlier, to set the default input policy to DENY and wrote explicit rules which will explicitly permit packets intended for the services on you router to enter into the router. If you will use input policy of DENY without the explicit rules with target of ALLOW you will not be able even ping from you router because such a policy will not allow ping replies to reach you (they will be DENIED entry into you router). If you will use, in addition to the default input policy of DENY an default output policy of ACCEPT, the following rule, you should be able to ping your router from other machines and ping other machines from your router:
iptables -t filter -A INPUT -p icmp -j ACCEPT Of course, if you have server daemons on you router, you will need other rules in that chain. Alexey Fadyushin Brainbench MVP for Linux. http://www.brainbench.com Knut Ove Hauge ÐÉÛÅÔ: > > Wouldnt setting all policies to ACCEPT mean a secure risk? > How do I know if Nat is enabled. > When I type lsmod I found NAt whith no additiona info ie autoclean > used or unused. > > --- Alexey Fadyushin <[EMAIL PROTECTED]> skrev: > I think that you > should set all three policies in all tables to > > ACCEPT. > > Of course, you could use any other policies if you have added > > specific > > rules in the tables which will be used instead of the default > > policies > > for > > the paxckets on you network. > > > > Also, if you are using NAT between LAN and ADSL, add the rule similar > > to > > the following rule into the table 'nat': > > > > iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -j SNAT > > --to-source x.x.x.x > > > > where x.x.x.x is the address of the external inteface of you router > > (ADSL line). > > > > Alexey Fadyushin > > Brainbench MVP for Linux. > > http://www.brainbench.com > > > > > > Saul Arias wrote: > > > > > > At 04:35 AM 30-08-02, Knut Ove Hauge wrote: > > > >I have just installed iptables as a replacement for ipchains in my > > rh > > > >7.2 system. I downloaded a shell script with the rules but I cant > > > >access internet nor from my linuze or windoze client. > > > >I use eth1 for my adsl line and eth0 (ip address 192.168.0.1) for > > my > > > >lan card. The windoze has ip address 192.168.0.3. > > > >I have enabled ip forwarding and can flush the rules in iptables > > in the > > > >beginning of the script. The input policy is set to DROP while the > > > >other two is set to accept. > > > >I cant ping any machines nor external or internal. > > > >I'am new to iptables so I need some help on setting it up. > > > > > > Can you ping from the Linux box to, say, www.yahoo.com? > > > Can you ping from the Linux box to 192.168.0.3? > > > > > > Can you do the pings above with iptables shut down? > > > > > > Can we see your script? > > > > > > -- > > > Saul Arias <[EMAIL PROTECTED]> > > > > > > -- > > > redhat-list mailing list > > > unsubscribe > > mailto:[EMAIL PROTECTED]?subject=unsubscribe > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > > https://listman.redhat.com/mailman/listinfo/redhat-list > > ===== > Investigating the Norwegain 4.th Secret Service > The multiheaded beast. > http://hjem.sol.no/altiett/knut_ove_hauge_kuren.htm > > ______________________________________________________ > Se den nye Yahoo! Mail på http://no.yahoo.com/ > Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
