Re: iptables and networking

To: debian-user@lists.debian.org
Subject: Re: iptables and networking
From: Steven Post <redalert.commander@gmail.com>
Date: Wed, 19 Jun 2013 21:16:10 +0200
Message-id: <[🔎] 1371669370.5346.16.camel@pc-steven.LAN>
In-reply-to: <[🔎] 51C1F36D.7070108@fuckaround.org>
References: <[🔎] 51C1F36D.7070108@fuckaround.org>

On Wed, 2013-06-19 at 20:07 +0200, Pol Hallen wrote:
> Hey all :-)
> 
> take again iptables, I need to configure another server.
> 
> On my server I've:
> 
> eth0    Link encap:Ethernet  HWaddr 00:55:d0:c4:f8:1b
>           inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
> 
> route -n
> 
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
> office
> 0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 dsl
> 
> [...]
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d
> 192.168.1.0/24 -j ACCEPT
> [...]
> 
> On new server
> 
> eth0      Link encap:Ethernet  HWaddr 00:21:5e:46:7b:10
>           inet addr:95.110.207.165  Bcast:95.110.207.255  Mask:255.255.248.0
> 
> route -n
> 
> 0.0.0.0         95.110.200.1    0.0.0.0         UG    0      0        0 eth0
> 95.110.200.0    0.0.0.0         255.255.248.0   U     0      0        0 eth0
> 
> is it correct do:
> 
> [...]
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A FORWARD -s 95.110.207.0/21 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d
> 95.110.207.0/21 -j ACCEPT
> [...]

For the FORWARD chain, see below.
If you only have these 2 rules, your server will be able to connect to
other machines and the internet, but it will not accept new connections.
If your server needs to be accessed by others (webserver, running SSH,
printing server, etc.) you need to define additional rules to allow that
incoming traffic.

In the above I am assuming a default policy of 'drop' on at least the
INPUT chain, the command (as root, no quotes) "iptables -L -vn" will
print all currently active rules and the default policy (what should
happen if no rule is matched). If the default policy is 'ACCEPT' those 2
rules by themselves have no effect.

Also, be careful no to lock yourself out of the machine if configuring
iptables using SSH.

> 
> Second question: the FORWARD chain is useful only with another pc on
> same lan. If this is server is only a file server (i.e.) I can commented
> out FORWARD chain. On not?

Correct, the FORWARD chain is only used for traffic that is being
forwarded by that machine (if it is acting as a router for example)
A machine with only 1 network interface (not counting the loopback
interface(s), but counting real interfaces, VPN and similar) does not
need rules in the FORWARD chain.

> 
> thanks for help!
> 
> Pol
> 
> 

Regards,
Steven

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>

References:
- iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>

Prev by Date: iptables and networking
Next by Date: Re: A loop mounted FAT filesystem.
Previous by thread: iptables and networking
Next by thread: Re: iptables and networking
Index(es):
- Date
- Thread