[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall

On Sunday 19 June 2005 20:52, Hans du Plooy wrote:
> Isn't there a standard way, via a rc script or something, where Debian
> would load an iptables script from, without the need for an iptables
> frontend like shorewall?

This is what I do

in my /etc/network/interfaces file I have a stanza on my external internet 
connection side as so

iface eth0 inet dhcp
        pre-up /etc/firewall $IFACE

/etc/firewall is a scipt I have written byself using iptables.  Here is a 
snippet of the beginning of it (note I ignore the $1 parameter but I could 
have used that as the first assignment).



test -x /sbin/iptables || exit 0

#set -e

#   Start up ensuring that the tables are all empty
#   (ignoring any errors because there is nothing there yet)
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -t nat -F PREROUTING
    iptables -t nat -F POSTROUTING
    iptables -t mangle -F OUTPUT
    iptables -F inet-in
    iptables -X inet-in
    iptables -F inet-fwd
    iptables -X inet-fwd
    iptables -F from-inet
    iptables -X from-inet
    iptables -F to-inet
    iptables -X to-inet

#   Route packets going out from here onto a new table so that we can do
#   things with them (logging etc)
    iptables -N to-inet
#   Just want to count a few things
    iptables -A to-inet -p tcp --dport www -j ACCEPT
    iptables -A to-inet -p tcp --dport pop3 -j ACCEPT
    iptables -A to-inet -p udp --dport domain -j ACCEPT
    iptables -A to-inet -p tcp --dport nntp -j ACCEPT
    iptables -A to-inet -p udp --dport 67:68 -j ACCEPT


Alan Chandler

Reply to: