[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [solved] Re: iptables ruleset ...



On Thursday, 10.02.2005 at 15:14 +0100, Manfred Sampl wrote:

> On Wednesday 09 February 2005 17:12, Dave Ewart wrote:
> > On Wednesday, 09.02.2005 at 16:45 +0100, Manfred Sampl wrote:
> > > > [...]
> > > >
> > > > For every INPUT you need apropriate OUTPUT rule :)
> > > > I don't know your configuration or how exactly you are connected to the
> > > > network but for ssh you should probably have to add:
> > > >
> > > > $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> > > > $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
> >
> > [...]
> >
> > When I have INPUT rules to allow special types of traffic in, such as
> > SSH, I usually find that the best corresponding OUTPUT rules are to
> > allow ESTABLISHED and RELATED, rather than on the source ports of the
> > services one is allowing: which means that you won't need to add
> > additional OUTPUT rules if you later allow a different special service
> > in.  This is probably just a matter of taste, though.
> 
> I have actually a ESTABLISHED, RELATED rule, but that didn't help:
> 
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
>  ESTABLISHED,RELATED -j ACCEPT

OUTPUT, not INPUT.

> Is there a gui tool that is able to set up a firewall rule set on a remote 
> computer or write a bash script? I had a quick look at knetfilter and 
> firestarter, but that isn't really what I need. Shorewall is somehow nice, 
> but wouldn't that be a step back for me?

fwbuilder is suppose to be quite good.

Dave.
-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature


Reply to: