Re: iptables+dialup
On Sat, Jan 11, 2003 at 02:46:17PM -0500, Fraser Campbell wrote:
> On January 11, 2003 12:29 pm, the fabulous Debian User wrote:
>
> > Can someone point me to some docs for where to put the iptables firewall
> > scripts for a dialup accnt. I am running testing/unstable w/2.4.18-686.
> > This has to be activated(iptables) with each new dialup? Or does
> > iptables refresh the ip? Sorry for all the ?'s but am new to iptables.
>
> I believe that the simplest way is to just put a script in the
> /etc/ppp/ip-up.d/ directory. Here's a script that I've used in a few places:
>
> #!/bin/sh
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j LOG
>
> This is designed for a client that is directly connected to the Internet but
> is not doing any masquerading for other clients, simply a standalone machine.
> It allows incoming ssh so that I can do remote admin. I'd appreciate
> comments on the above ruleset since I'm deploying it on all my family members
> as I convert them to Linux ;-)
>
> Fraser
>
I thought that it might go in there but I wanted to make sure that was
the correct way. Plus I am doing ipmasq for internal network. I have a
script that I am using. It works for me so far. Thanks for yours
though. I plan on putting the firewall on a p133 that is goin to be
gateway+firewall+dailout. Just haven't had the time yet.
Would I need something like diald on the p133 to accept dailout or is
there another way?
Thanks again
--
****From the Desktop of a Debianized Mutt.
Reply to: