Re: Firewall
On Sunday 19 June 2005 20:52, Hans du Plooy wrote:
...
>
> Isn't there a standard way, via a rc script or something, where Debian
> would load an iptables script from, without the need for an iptables
> frontend like shorewall?
This is what I do
in my /etc/network/interfaces file I have a stanza on my external internet
connection side as so
iface eth0 inet dhcp
pre-up /etc/firewall $IFACE
/etc/firewall is a scipt I have written byself using iptables. Here is a
snippet of the beginning of it (note I ignore the $1 parameter but I could
have used that as the first assignment).
#!/bin/sh
#
#
INETIF=eth0
KANGER="192.168.0.21"
POOH="192.168.0.22"
RABBIT="192.168.0.25"
test -x /sbin/iptables || exit 0
#set -e
#
# Start up ensuring that the tables are all empty
# (ignoring any errors because there is nothing there yet)
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t mangle -F OUTPUT
iptables -F inet-in
iptables -X inet-in
iptables -F inet-fwd
iptables -X inet-fwd
iptables -F from-inet
iptables -X from-inet
iptables -F to-inet
iptables -X to-inet
#
# Route packets going out from here onto a new table so that we can do
# things with them (logging etc)
#
iptables -N to-inet
#
# Just want to count a few things
#
iptables -A to-inet -p tcp --dport www -j ACCEPT
iptables -A to-inet -p tcp --dport pop3 -j ACCEPT
iptables -A to-inet -p udp --dport domain -j ACCEPT
iptables -A to-inet -p tcp --dport nntp -j ACCEPT
iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
...
--
Alan Chandler
http://www.chandlerfamily.org.uk
Reply to: