Re: [gentoo-user] [OT] tips on my 1st try at iptables?

Thu, 02 Jun 2005 17:29:08 -0700 

As first I was a bit weary, but after I modified a sample iptables to
my likings, I found I got what I wanted.

#First we flush our current rules
iptables -F
iptables -t nat -F

#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i eth1 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

#(Optional) Allow access to our ssh server from the WAN
# Additional: port 81 (alt http)  and port 443 (https), port 21 (ftp)
#iptables -A INPUT -p TCP --dport ssh -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 2222 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 81 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 21 -i eth0 -j ACCEPT
#iptables -A INPUT -p TCP --dport 25 -i eth0 -j ACCEPT
#iptables -A INPUT -p TCP --dport 143 -i eth0 -j ACCEPT
#iptables -A INPUT -p TCP --dport 993 -i eth0 -j ACCEPT
#iptables -A INPUT -p TCP --dport 995 -i eth0 -j ACCEPT
#iptables -A INPUT -p TCP --dport 110 -i eth0 -j ACCEPT

#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i eth1 -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Actual port forwarding
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to
192.168.0.250
iptables -t nat -A PREROUTING -p tcp --dport 6881 -i eth0 -j DNAT --to
192.168.0.250
iptables -t nat -A PREROUTING -p udp --dport 6881 -i eth0 -j DNAT --to
192.168.0.250
#This is so when we boot we don't have to run the rules by hand
/etc/init.d/iptables save

I've found it to work very well.

On 6/2/05, A. Khattri <[EMAIL PROTECTED]> wrote:
> On Tue, 31 May 2005, Ow Mun Heng wrote:
> 
> > > I prefer just plain iptables myself ;-)
> >
> > One man's meat is another's poison.
> >
> > That's the beauty of Open Source. You're free to decide.
> 
> Well its one less package to manage - and you dont need any startup
> scripts ("/etc/init.d/iptables save" saves the current rule set and
> automatically restores it on startup).
> 
> 
> --
> 
> --
> gentoo-user@gentoo.org mailing list
> 
> 


-- 
- Mark Shields

-- 
gentoo-user@gentoo.org mailing list

Reply via email to