IPTABLES is driving me crazy!!! :P

Jeremy Fowler jfowler at westrope.com
Fri Dec 20 16:49:23 CST 2002 

When you set a chain's policy to DROP all packets are dropped, unless you add a
specific rule to accept those certain types of packets. So if you want Internet
access, you have to accept those types of packet - specifically outgoing TCP
packets with a destination port of 80 and then add a rule for the state engine
to accept the incoming reply packets.

So

# Drop *all* packets going across the FORWARD chain
iptables -P FORWARD DROP
# Except for RELATED and ESTABLISHED packets
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Except for NEW TCP packets with destination port 80
iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT

Then just continue to add rules that accept only the types of packets you want
thru. This may sound extremely complex at first, and it is. It just takes time
to understand the syntax, structure, and meaning of each rule. Remember,
firewall rules is both an art and a science. Getting proficient and getting the
rules right just takes time. Read the HOWTOs on netfilter.org, search google for
sample iptables firewall scripts (some people call them rc.firewall), and
experiment. Remember this should be fun, so take your time.

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net]On Behalf Of Advancewarning
Sent: Thursday, December 19, 2002 11:09 PM
To: KCLUG
Subject: IPTABLES is driving me crazy!!! :P

First thing is first I want to set up all the Policys so that by default they
DROP. I did that.

For some reason as soon as I set FORWARD to DROP I no longer have INTERNET!

If I leave it as ACCEPT it works

Another thing is how do I get Apache to work? the only way it will is if I set
all thePolicies to ACCEPT.

Also if I set OUTPUT to DROP I loose SSH capability.

This is what I have set in order for it to work.  Is there something I am
missing here in order for all these to be set to DROP to work properly?

Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning
ACCEPT     all  --  muldersworld         advancewarning.net

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks!
Mike

More information about the Kclug mailing list