On Tuesday, 08.02.2005 at 20:25 -0000, Kitsonik Design wrote: > Hi gang, > > I have just installed the latest version of 'Sarge' the install went very > smooth, which I am pleased about. Basically this is how I want my setup to > be. > > Internet <->cablemodem<->debain(web/email/ftp server)<->hub<->Windows > > 1). Run a small web/email/ ftp server from the debain box > 2). Access the Internet from my windows box. > > I've been looking for a simple firewall/NAT ruleset, so far this is what I > have found. (192.168.10.45 is the ip on eth0, 192.168.20.1 is the ip on > eth1) > > iptables -F > iptables -N FIREWALL > iptables -F FIREWALL > iptables -A INPUT -j FIREWALL > iptables -A FORWARD -j FIREWALL > iptables -A FIREWALL -p tcp -m tcp --dport 25 --syn -j ACCEPT > iptables -A FIREWALL -p tcp -m tcp -s 192.168.20.1/24 --dport 22 --syn -j > ACCEPT > iptables -A FIREWALL -i lo -j ACCEPT > iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT > iptables -A FIREWALL -p tcp -m tcp --sport 53 -j ACCEPT > iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT > iptables -A FIREWALL -p udp -m udp --sport 6277 -j ACCEPT > iptables -A FIREWALL -p udp -m udp --sport 24441 -j ACCEPT > iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT > iptables -A FIREWALL -p udp -m udp -j REJECT > iptables-save > /etc/firewall-rules > iptables-restore < /etc/firewall-rules > > Can anyone tell me, if using the above ruleset, I can access the net using > my windows computer via the debian box? If not, what rules do I need to add. I will make an assumptions, which you have not actually stated: the firewall will reside on the Debian box, the same machine that you are running web, email, FTP; The rest of what you include is confusing. 1. It appears your Debian box has two interfaces, eth0 and eth1. Which is which? i.e. Which is the interface to the cable modem, and which is the interface to the local network? 2. Why are you using a FIREWALL table above, and sending *both* INPUT and FORWARD rules to it? You need to treat INPUT and FORWARD traffic differently. 3. What is the '--syn' parameter for? This will allow an initial connection but not any subsequent traffic. 4. Why are you allowing *source* UDP port 53? 5. What is the default policy for the INPUT, OUTPUT and FORWARD rulesets? 6. You have no NAT rules listed. You will need some! I recommend reading the IP Tables HOWTO guides, which includes some examples, at http://www.netfilter.org/ Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature