IPTABLES is driving me crazy!!! :P

Advancewarning advancewarning at swbell.net
Fri Dec 20 17:37:39 CST 2002 

so by if by default I drop everything and allow web in .  Is there a way I
can just drop a certain website?

Mike
----- Original Message -----
From: "Jeremy Fowler" <jfowler at westrope.com>
To: "Advancewarning" <advancewarning at swbell.net>; "KCLUG" <kclug at kclug.org>
Sent: Friday, December 20, 2002 10:49 AM
Subject: RE: IPTABLES is driving me crazy!!! :P

> When you set a chain's policy to DROP all packets are dropped, unless you
add a
> specific rule to accept those certain types of packets. So if you want
Internet
> access, you have to accept those types of packet - specifically outgoing
TCP
> packets with a destination port of 80 and then add a rule for the state
engine
> to accept the incoming reply packets.
>
> So
>
> # Drop *all* packets going across the FORWARD chain
> iptables -P FORWARD DROP
> # Except for RELATED and ESTABLISHED packets
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> # Except for NEW TCP packets with destination port 80
> iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT
>
>
>
> Then just continue to add rules that accept only the types of packets you
want
> thru. This may sound extremely complex at first, and it is. It just takes
time
> to understand the syntax, structure, and meaning of each rule. Remember,
> firewall rules is both an art and a science. Getting proficient and
getting the
> rules right just takes time. Read the HOWTOs on netfilter.org, search
google for
> sample iptables firewall scripts (some people call them rc.firewall), and
> experiment. Remember this should be fun, so take your time.
>
>
>
>
> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Advancewarning
> Sent: Thursday, December 19, 2002 11:09 PM
> To: KCLUG
> Subject: IPTABLES is driving me crazy!!! :P
>
>
> First thing is first I want to set up all the Policys so that by default
they
> DROP. I did that.
>
> For some reason as soon as I set FORWARD to DROP I no longer have
INTERNET!
>
> If I leave it as ACCEPT it works
>
> Another thing is how do I get Apache to work? the only way it will is if I
set
> all thePolicies to ACCEPT.
>
> Also if I set OUTPUT to DROP I loose SSH capability.
>
> This is what I have set in order for it to work.  Is there something I am
> missing here in order for all these to be set to DROP to work properly?
>
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere           LOG level
warning
> ACCEPT     all  --  muldersworld         advancewarning.net
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> Thanks!
> Mike
>
>
>

More information about the Kclug mailing list