also sprach David Bishop <tech@gnuconsulting.com> [2006.08.25.2233 +0100]: > I'm not, actually. Hand-rolled iptables rules, actually. Is > there a good 'key phrase' that I can google for, that might help > me out? "deny by default"? Assuming your networks are eth0/1/2 for outside/lan/eatery, then just: iptables -P FORWARD DENY iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -p tcp --syn -m state --state NEW -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -p tcp --syn -m state --state NEW -i eth2 -o eth0 -j ACCEPT iptables -A FORWARD -p tcp -j DROP iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT done. You don't need the --syn rules and the middle drop, but they're a good idea. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck http://debiansystem.info `- Debian - when you have better things to do than fixing systems "wenn elephanten tanzen leidet das gras." -- die vogelpredigt
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)