Re: ipchains for the firewall challenged
On 07/26/01 20:20:05 -0700, Vineet Kumar wrote:
> I notice you've already applied another solution, but I hope I can
> provide some direction should you (or anyone else) decide they'd like
> to do it yourself:
>
> I have found that the most useful thing in setting up ipchains or
> iptables is to see and understand the diagrams representing packet
> flow in the kernel code. Maybe that's not for everyone, and I'm more
> of a visual learner (or something). Anyway, for ipchains, it looks
> like this:
<<< Diagram snipped >>>
> It's a little burly for your purposes. All you're talking about is a
> packet filter, with no forwarding (and hence no masquerading, etc.) So
> let's take out what's unimportant and reduce it to this:
Yeah, I had read through the IPChains Howto, and I think I got some of
the fundamentals down. I tend to learn by example, so as a newbie, I
had some trouble applying what was going on with the real world
example given in the howto to my own needs.
> ---------------------------------------------------------------
> | ACCEPT/ lo interface |
> v REDIRECT |
> --> C --> S --> ______ --> --> ~~~~~~~~ _______ -->
> h a |input | {Routing } |output |ACCEPT
> e n |Chain | {Decision} --->|Chain |
> c i |______| ~~~~~~~~ | |_______|
> k t | | | |
> s y | | | |
> u | v v | v
> m | DENY/ Local Process | DENY/
> | v REJECT | | REJECT
> | DENY ---------------------
> v
> DENY
>
> That's a bit more manageable, no? All you need to worry about are the
> input and output chains. I'm going to recommend a very simple ruleset
> for you; no need to mess around with all kinds of user-defined chains.
> You might want (after reading some more and getting the hang of what's
> going on here) to add some logging capabilities to the setup, but for
> now, let's just roll a simple script:
Ah, yes. That was one of the problems I had. The example revolved
around forwarding packets, which then quickly got out of hand for me
when trying to figure out what I needed to do. I think I understood
most of what was being discussed, and when I do get around to setting
up a gateway machine for my home network (coming soon), I'll draw from
it. I think I'll go back and re-read it and focus on what each was
trying to be accomplished.
> (I've been (happily) immersed in the iptables world and haven't used
> ipchains in a while (and don't have a machine to test it on, either),
> so if it has a couple of syntactical glitches in it, please bear with
> me.)
No problem, just a great big "thank you" for taking the time to
explain this to me and others.
<<< firewall script snipped >>>
Thanks again, I've already added your message to my Saved folder!
--
Mark Wagnon <mwagnon1@home.com>
Reply to: