On 26 Aug 2003, Bret Comstock Waldow wrote: > I can find all the sites and advice I want about how to form iptables > rules, but I can't find any decent discussion of how to enable the damn > things. > > I get the idea that an iptables firewall is set up by actually running a > bunch of "iptables -options" lines, presumably from a script.
Correct. > But where do I put the script(s)? Depends. For networkcards use the pre-up and post-down directives in /etc/network/interfaces. I seem to recall that for ppp you would do this through the /etc/ppp/ip-up and /etc/ppp/ip-down scripts. I think man pppd will help you out in that case. Sorry, I haven't used ppp ever before... > For crissake! Can anyone point me at some sensible discussion of how > the hell to go about putting firewall rules in place? I've got a > laptop, usually on a cable modem, but sometimes using dial-up. Well, this is only for "plain" NICs (e.g. ethx) and does not explain NAT, but maybe this is of some help to you: http://huizen.dto.tudelft.nl/devries/security/iptables_example.html > I know generally about the /etc/init.d/rcX.d runlevel mechanism. Now I > need a sensible discussion of when and HOW to run what sorts of > iptables-rules-containing scripts so I can figure out how to protect my > system. Please don't just tell me about "runlevels" - I know they exist > already. Hmm, I am a proponent of not burdening the system unnecessarily. So, most of the time I advice against initializing the firewall from run-level x. I would suggest doing this where/when it is most appropriate (to me that is }:-), which to me is just before the interface is activated. > Someone somewhere speaks to issue of the actual plumbing to implement > iptables. Can anyone point me? <plug class="shameless-but-well-meant">read the page on the above URL</plug> I wrote it in the hope it would be clear enough for people in just the situation you're finding yourself in right now. If you think it is missing something I'll try to improve it. HTH P.S. I just checked it and found that zless /usr/share/doc/iptables/README.Debian.gz will give you some useful examples. Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
