|
Click to See Complete Forum and Search --> : Iptables question Linux 06-12-2001, 11:37 AM My INPUT and OUPTUT polices are set as DROP. Now I want to start allowing some services in and out. How would I enable users on local network to be able to browse the net and how would I allow access to Webserver from outside. My eth0 has valid ip while eth1 is my private network. ThanX Craig McPherson 06-12-2001, 09:10 PM I can't ever really recommend setting your default output policy to DROP. You'll run into way too many problems to make it worth your time and you don't really get any added security out of it. But if that's what you wanna do... The first thing you need to know about IPTABLES is how the tables/chains have changed from IPCHAINS. Now, INPUT in only traversed for locally-destined packets, and OUTPUT is only traversed for locally-generated packets. This is how I believe it works: 1. A packet comes in. 2. The kernel decides "is this package meant for me, or am I supposed to route it?" 3. If the packet is meant for the router machine itself, it's handled by the INPUT chain. 4. If the packet is supposed to be routed, it's processed through the PREROUTING chain, then the decision as to where to route it is made, then it's processed through the POSTROUTING chain. I could be wrong about part of that -- PREROUTING could be handled right after step 1 rather than during step 4. I can't remember which. Anyway, the OUTPUT chain is only used for packets that are generated locally by the router machine. This is how you active IP masquerading: iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE Remember, anything that's allowed out by MASQUERADE will automatically have its responses let back in and un-MASQ'd, so you don't have to worry about that. If you only want to allow clients to connect to certain ports on Internet machines, you'd probably want to set up PREROUTING rules for that. You can run an Internet-accessible web server like this: iptables -A INPUT -i eth0 -p tcp --sport $UNPRIVPORTS --dport 80 -j ACCEPT If you're absolutely sure you want OUTPUT to be default DROP, you'll need this as well: iptables -A OUTPUT -i eth0 -p tcp --sport 80 --dport $UNPRIVPORTS -j ACCEPT You'll need port 443 also if you want to do HTTPS. Linux 06-13-2001, 12:30 PM I'm exploring my options. This is something you can't do with windows. I know that it will be harder to configure my system like this, but I will try it. ThanX justlinux.com
Copyright Internet.com Inc. All Rights Reserved. |
|