Simple and easy does the trick when working with such scripts.
it's the result of an iptables-save
# Generated by iptables-save v1.2.5 on Mon Apr 8 18:10:23 2002
*filter
#
#DEFAULT POLICIES
#
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
#
# INPUT and OUTPUT chains are only used when packets are going to be treated by your
machine (i.e. does not apply to forwarded packets)
#
#
#The following lines makes the con_track module to be loaded.
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Only SSH connection from management machines allowed to get in, you may want to
replace ssh by any service running on your machine,
# and $internal_mgt by the machines you allow to speak to those services
#
-A INPUT -s $internal_mgt -p tcp -m tcp --dport 22 -j ACCEPT
#
#Note : there are nothing against spoofing or so in here... not a so good idea.
#
#Some silent drops (there are plenty of broadcast-multicast which would fill in the
logs if let to themselves...)
#
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -d $lanbcst -j DROP
-A INPUT -d 224.0.0.0/3 -j DROP
#and let's log the rest
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG
#nothing going out except connections established
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
-----Original Message-----
From: Marcin Bednarz [SMTP:[EMAIL PROTECTED]]
Sent: dimanche 14 avril 2002 09:15
To: Lars Roland Kristiansen
Cc:
Subject: Re: Iptables config
Hello.
I wrote :
>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22
-j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110
-j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143
-j ACCEPT
>
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110
-j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143
-j ACCEPT
>
> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
>
> # are you want to alow ping you machine ? (I dont know if postfix require it)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p icmp -j ACCEPT
> iptables -t nat -A POSTROUTING -s $yourPublicIP -p icmp -j ACCEPT
and ...
#SMTP
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25
-j ACCEPT
Why it is not correct ?
Why you use filter table, not nat ?
I am beginner so please help me if I don't understand anything.
Jakub S.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
