also sprach David Bishop <tech@gnuconsulting.com> [2006.08.25.2233 +0100]:
> I'm not, actually. Hand-rolled iptables rules, actually. Is
> there a good 'key phrase' that I can google for, that might help
> me out?
"deny by default"?
Assuming your networks are eth0/1/2 for outside/lan/eatery, then
just:
iptables -P FORWARD DENY
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --syn -m state --state NEW -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -m state --state NEW -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
done. You don't need the --syn rules and the middle drop, but
they're a good idea.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
"wenn elephanten tanzen leidet das gras."
-- die vogelpredigt
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)