Re: iptables

On Fri, 11 Mar 2005, damien hull wrote:

> I'm playing around with my iptables configuration and I've got some
> strange things going on. Either that or I don't understand what iptables
> is doing.
>
> I've got the following config and I can listen to Internet radio. I can
> also run traceroute.

Point for clarification: I assume you mean you can do this from a NAT'ed
host, or the box running iptables? If the latter, have you check that /proc
entry to enable forwarding?

As for why eth0/lo are working, it's simple: INPUT is set to DROP as the
default policy. This isn't a rule, things still flow into the INPUT chain,
it's just what happens to any packet that doesn't match against any rule in
the chain. So, packets come in, if they're on eth0 or lo, you're accepting
them explicitly. Anything that comes in on eth1 will be dropped *after* it's
established that it doesn't match any rules in the chain.

Now, you do need a rule for eth1 traffic that was initiated internally, and
that would be:

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Note that you will still need some helper modules for special protocols like
FTP and IRC.

If you make the changes I suggest, you should be in a very basic but working
config.

        --Arthur Corliss
          Bolverk's Lair -- http://arthur.corlissfamily.org/
          Digital Mages -- http://www.digitalmages.com/
          "Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Mar 11 10:39:54 2005