Re: How to work with my iptables script

To: Jacob Friis Larsen <jfl@list.idg.dk>
Cc: debian-firewall@lists.debian.org
Subject: Re: How to work with my iptables script
From: Mike Mestnik <cheako911@yahoo.com>
Date: Mon, 30 Aug 2004 13:03:49 -0700 (PDT)
Message-id: <[🔎] 20040830200349.27749.qmail@web11905.mail.yahoo.com>
In-reply-to: <[🔎] 4132FEAB.90902@list.idg.dk>

ip_forward=yes
means
echo 1 > /proc/sys/net/ipv4/ip_forward

When a packet arrives it's determined if it's destination is the
localhost.  When that fails ip_forward is used too see if the pkt should
be forwarded.  ip_forward is only read/looked at, at this time when
non-local pkts arrive.  All other times, like when you run iptables, it's
value is ignored and not used.

What you need to decide is if you want to forward non-local pkts.  Put
your answer in network/options and leave proc/s/n/i/ip_forward alone.

--- Jacob Friis Larsen <jfl@list.idg.dk> wrote:

> >   Also dose "/etc/init.d/iptables save" reflect the proc->ip_forward
> > setting?  Change /etc/network/options, that is where I set this.
> 
> What do you mean by this?
> 
> # cat /etc/network/options
> ip_forward=no
> spoofprotect=yes
> syncookies=no
> 
> 
> My new script:
> 
> # cat myiptables
> #!/bin/sh
> 
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
> 
> # load some modules (if needed)
> #modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
> 
> # Default rules
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> # Localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> #iptables -A INPUT -j ACCEPT -p tcp --dport 443
> iptables -A INPUT -j ACCEPT -p tcp --dport 993
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Enable forwarding
> #echo 1 > /proc/sys/net/ipv4/ip_forward
> 



		
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush

Reply to:

References:
- Re: How to work with my iptables script
  - From: Jacob Friis Larsen <jfl@list.idg.dk>

Prev by Date: Re: How to work with my iptables script
Next by Date: Re: How to work with my iptables script
Previous by thread: Re: How to work with my iptables script
Next by thread: Bad ulogd timestamp in logs
Index(es):
- Date
- Thread