Re: using apt through firewall ... (what am i missing ?...)
Thank You ! ... it worked just fine.
But I missing the last DROP rule, is this ok at the
end of my script?.
iptables -A INPUT -j DROP
Blessings...
Carlos.
--- Tarragon Allen <tarragon@onthe.net.au> wrote:
> On Monday 18 August 2003 14:38, CaRLoS mOGUeL wrote:
> > Blessings All...
> >
> > I'm trying to set up my Home-LAN Firewall... but I
> > cant apt-get... what am I missing ?. I just need
> the
> > masquerading and ssh connection only from my LAN.
> >
> > Advices ?... opinions ?.
>
> > # Input, Forward and Output...
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT ACCEPT
>
> First things first, as a general rule I don't use
> DROP policy on the INPUT or
> OUTPUT chains, for the sole reason that an
> accidently 'iptables -F' at the
> wrong time can kill your access to the machine.
> Better to leave the policy as
> ACCEPT and put a DROP rule at the end of your rules
> instead.
>
> > # Input States...
> > iptables -A INPUT -p tcp -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
>
> Drop the "-p tcp". You want to allow other related
> protocols back in, such as
> icmp.
>
> > # Accepting the LoopBack...
> > iptables -A INPUT -p tcp -i lo -j ACCEPT
> >
> > # Accepting SSH from the LAN... for admin things.
> > iptables -A INPUT -p tcp --dport 22 -i
> $LAN_INTERFACE
> > -j ACCEPT
>
> Looks ok.
>
> > # Forwarding States...
> > # Accepting Forwarding to Related and Established
> > # States...apt should work here, right ?.
> > iptables -A FORWARD -p tcp -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
>
> Drop the "-p tcp".
>
> > # Accepting Forwarding from the LAN...
> > iptables -A FORWARD -p tcp -s $LAN_IP_ADDRESS -j
> > ACCEPT
>
> You should add "-m state --state NEW" to this line,
> and also drop the "-p
> tcp".
>
> > # Masquerading the LAN...
> > iptables -t nat -A POSTROUTING -s $LAN_IP_ADDRESS
> -j
> > MASQUERADE
>
> I think you may need to specify the output
> interface, ie: '-o ppp0', otherwise
> netfilter won't know what IP address to masquerade
> the connection as.
>
> Hope this helps.
>
> t
> --
> GPG: http://n12turbo.com/tarragon/public.key
>
>
> --
> To UNSUBSCRIBE, email to
> debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Reply to: