Re: iptables+dialup

Sat, 11 Jan 2003 19:06:52 -0800 

On Sat, Jan 11, 2003 at 02:46:17PM -0500, Fraser Campbell wrote:
> On January 11, 2003 12:29 pm, the fabulous Debian User wrote:
> 
> > Can someone point me to some docs for where to put the iptables firewall
> > scripts for a dialup accnt.  I am running testing/unstable w/2.4.18-686.
> > This has to be activated(iptables) with each new dialup?  Or does
> > iptables refresh the ip?  Sorry for all the ?'s but am new to iptables.
> 
> I believe that the simplest way is to just put a script in the 
> /etc/ppp/ip-up.d/ directory.  Here's a script that I've used in a few places:
> 
> #!/bin/sh
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j LOG
> 
> This is designed for a client that is directly connected to the Internet but 
> is not doing any masquerading for other clients, simply a standalone machine. 
> It allows incoming ssh so that I can do remote admin.  I'd appreciate 
> comments on the above ruleset since I'm deploying it on all my family members 
> as I convert them to Linux ;-)
> 
> Fraser
> 
I thought that it might go in there but I wanted to make sure that was
the correct way.  Plus I am doing ipmasq for internal network.  I have a
script that I am using.  It works for me so far.  Thanks for yours
though.  I plan on putting the firewall on a p133 that is goin to be
gateway+firewall+dailout.  Just haven't had the time yet.

Would I need something like diald on the p133 to accept dailout or is
there another way?  

Thanks again

-- 

****From the Desktop of a Debianized Mutt.

                                                                     


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to