need help with iptables rules
I've just created a server for my family use: it serves as a HTTP, SMTP, SSH and FTP server, and it's routing my home LAN.
As Ubuntu Dapper comes with no firewall (policy ACCEPT) as default, I need to configure a firewall asap. My needs are: the services i've mentioned, and of course, the ability to browse form any of the LAN clients. 1. I've created a script with all my iptables rules, that is lunched from /etc/rc.local. Is the interface been configured before the execution of rc.local? If so, how can I make the firewall available before the connection to the internet is made? 2. My iptables script is as follows; Can you please have a look at it and see if it's OK? Thanks. Code:
#!/bin/sh |
You're going to need to add a few rules to explain to IPTables exactly how it should route traffic from your home LAN. I assume that you have one public IP and you're running a DHCP server to assign private IPs to all of your home computers on the LAN. If that's the case, then you should check out some documentation on performing NAT (Network Address Translation) with IPTables (A NAT Tutorial). Once you have that working (or if you already do), you should change the policy on FORWARD to be DROP and add rules allowing only traffic from your LAN to be forwarded out. You don't want to be forwarding arbitrary traffic from the internet. In general, it's best to allow only traffic you know you want through your firewall, not to disallow traffic you don't want.
On a slightly different note, it's very unwise to run FTP, as it sends passwords in cleartext. I recommend disabling the FTP service and using SFTP and/or SCP in it's place. Both of those protocols will encrypt all of your traffic. |
your best bet is to forget rc.local and instead use the iptables-save command after executing the script manually... then you know it will be working the way it's meant to... rc.local gets executed way too late in the startup process for it to be used for a firewall script... here's a cleaned-up version of your script... execute this and then do an iptables-save once you've confirmed it works well... make sure you don't have any firewall stuff in your rc.local...
Code:
#!/bin/sh |
All times are GMT -5. The time now is 07:49 PM. |