RE: iptables q:
I am not sure about Shorewall-based iptables, but there are a few items
that any firewall must have to control the flow of traffic in or out.
(There is an excellent Article in the Linux Journal May 03 and June 03
that would go into more depth about setting up a Firewall using Firewall
Builder, great tool).
The steps needed to setup a firewall policy can be broken down into a
three-step process: 1)Create objects, 2)Create Rule Base, 3)Compile rule
base into policy and install. (Assuming that you have Netfilter/iptables
Objects - You will need to define all your objects for your internal and
external networks. Objects represent hosts, networks, address ranges,
TCP/IP services, your firewall. An object is usually defined by an IP
address and subnet mask or IP address. Define an object for your
loopback device too, i.e. 127.0.0.1, mask 255.0.0.0.
Now that you have your objects defined, you can create your rule base
and/or policies. Here are a few questions when creating rules for your
Source - where is this request coming from? Inside or outside your
network. This is very important to know and should be based on who wants
access to your firewall or network.
Destination - where or what is this request trying to get too.
Service - what service is this request trying to utilize: SMTP, POP,
Action - what will be the outcome, based on the above information and
what should the firewall do with the request: accept, reject, deny.
A Policy Example: (Note it is assumed you have your objects already
Number Source Destination Service
1 Internal_LAN Your_Firewall Any
Accept Allow internal access to your firewall
2 Any Your_Firewall ssh
Accept Allow outside ssh access to your firewall
3 Internal_LAN Any www
Accept Allow internal access out
4 Any Any
Any Deny Clean up rule
* Note: some times you may have rules that conflict with each other or
overlap, you may have to put rule 2 before rule 1.
After you have your rule base then you can compile and install on your
firewall. If your policy does not allow it, normally it will not be
allowed, you have to turn services on for them to work.
I hope this helps.
From: Tinus Nijmeijers [mailto:firstname.lastname@example.org]
Sent: Monday, August 25, 2003 3:05 AM
Subject: iptables q:
I have this great shorewall-based iptables setup that I have screwed up
and reading it I have to admit that I have no idea really where to
(Started reading the iptables-tutorial but I'm als in a hurry here.)
Could someone divulge how I do this:
eth1: internal net
-allow anything from the internal net to the firewall
-allow port 22 from the outside to the firewall
-masquerade ONLY port 80 from internal to internet.
everything else should be closed.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact