[ale] iptables firewall/nat

Calvin Harrigan charrig at earthlink.net
Tue Oct 16 15:54:04 EDT 2001


I did decide to stay with the ipchains as you suggested.  I got it setup to a 
point that I feel that it's fairly secure but I'm open to suggestions.  I've 
included my /etc/sysconfig/ipchains file.  Please comment add/remove as you 
guys think might be useful/required.  Thanks.

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A input -s 207.217.126.81 53 -d 0/0 -p udp -j ACCEPT
-A input -s 207.217.120.83 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 :1022 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 :1022 -p udp -j REJECT
-A input -s 0/0 -d 0/0 6000:6010 -p tcp -j REJECT 
-A input -s 0/0 -d 0/0 6000:6010 -p udp -j REJECT
-P forward DENY
-A forward -i ppp0 -j MASQ

On Tuesday 16 October 2001 02:42 pm, you wrote:
> Calvin,
> Stick with Ipchains as there is stateful modules such as ipconntrack_ftp
> for it that will give you everything in iptables without the confusion.
> You need to give ipchains the MASQ option in your forwarding policy.
> Dow
>
> Calvin Harrigan wrote:
> > Did anything ever come of that discussion a few weeks ago about a basic
> > firewalling system?  I would like to implement a firewall using iptables
> > and also at NAT capabilities to it.  Any links ideas, and so forth.  I
> > will be implementing on RH 7.1
> > The default high security option during the install does a pretty good
> > job, but it doesn't do NAT and it uses ipchains.  I'm not sure how to add
> > nat to the ipchains implementation.  Thanks for the help.
> >
> > Calvin
> > --
> > Signature?
> > No thank you...
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should
> > be sent to listmaster at ale dot org.

-- 
Signature?
No thank you...

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list