On Wed, 2013-06-19 at 20:07 +0200, Pol Hallen wrote: > Hey all :-) > > take again iptables, I need to configure another server. > > On my server I've: > > eth0 Link encap:Ethernet HWaddr 00:55:d0:c4:f8:1b > inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 > > route -n > > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > office > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 dsl > > [...] > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d > 192.168.1.0/24 -j ACCEPT > [...] > > On new server > > eth0 Link encap:Ethernet HWaddr 00:21:5e:46:7b:10 > inet addr:95.110.207.165 Bcast:95.110.207.255 Mask:255.255.248.0 > > route -n > > 0.0.0.0 95.110.200.1 0.0.0.0 UG 0 0 0 eth0 > 95.110.200.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0 > > is it correct do: > > [...] > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -s 95.110.207.0/21 -d 0/0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d > 95.110.207.0/21 -j ACCEPT > [...]
For the FORWARD chain, see below. If you only have these 2 rules, your server will be able to connect to other machines and the internet, but it will not accept new connections. If your server needs to be accessed by others (webserver, running SSH, printing server, etc.) you need to define additional rules to allow that incoming traffic. In the above I am assuming a default policy of 'drop' on at least the INPUT chain, the command (as root, no quotes) "iptables -L -vn" will print all currently active rules and the default policy (what should happen if no rule is matched). If the default policy is 'ACCEPT' those 2 rules by themselves have no effect. Also, be careful no to lock yourself out of the machine if configuring iptables using SSH. > > Second question: the FORWARD chain is useful only with another pc on > same lan. If this is server is only a file server (i.e.) I can commented > out FORWARD chain. On not? Correct, the FORWARD chain is only used for traffic that is being forwarded by that machine (if it is acting as a router for example) A machine with only 1 network interface (not counting the loopback interface(s), but counting real interfaces, VPN and similar) does not need rules in the FORWARD chain. > > thanks for help! > > Pol > > Regards, Steven
signature.asc
Description: This is a digitally signed message part
