Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
howdy all,
my external connection is ppp0, my internal connection is eth0.
i am "borrowing" an iptables script that suits my home network pretty well.
but a couple of questions:
from INPUT chain: (all ips changed to protect the innocent)
# (3) INPUT chain rules
# Rules for incoming packets fom LAN
iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i ppp0 -s -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.0.255 -j ACCEPT
# Rules for incoming packets from the internet
# Packets for established connections
iptables -A INPUT -p ALL -d ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
i'm not real comfy with line 1- i dont have 254 pcs on my network. i only have 4.can i state this as
192.168.0.1,192.168.0.2,192.168.0.3,192 etc.? in one line? or i guess i could add each pc in a seperate line?
the sample script has line 3 as -i lo xxx.xxx.x.x, so i followed along. but it doesnt look right. why would lo
be related to xxx.xxx.x.x?
my isp uses dynamic ip addressing, so i think i'm supposed to put -i ppp0 in line 4 , but ,confusion,
why would i have incoming LAN traffic from the internet?
i am certainly no expert on firewalls, iptables, etc, but somehow the above example seems to be
kind of duplicating effort? i have not tried this yet, any input from knowlegdible folks will be greatly
appreciated, and yes i am rtfm, howtos, etc, books, but its not reaching my inner processor!
OK,
Line 1 'iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT'
-- allows traffic from your known network into the box on the LAN interface. The network can be /24 if you want, but it must include the broadcast address. This is a standard rule.
Line 2 'iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT'
-- allows the box to talk to itself internally. Standard stuff again if you have a default DROP policy.
Line 3 'iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT'
-- allows the box to talk to itself from it's eth0 ip number. Standard stuff for a DROP policy.
Line 4 'iptables -A INPUT -p ALL -i ppp0 -s -j ACCEPT'
-- is a mistake. It allows ALL traffic coming into ppp0 from anywhere... In later versions of iptables it will throw up an error coz -s has no values stated and wouldn't load the rule, leading to 'unexpected behaviour'. Something will need to be added to allow traffic on ppp0. (I suspect the default policy is DROP)
Line 5 'iptables -A INPUT -p ALL -i eth0 -d 192.168.0.255 -j ACCEPT'
-- is also a mistake. There shouldn't be any traffic on that address if the netmask is /16. That broadcast address would be 192.168.255.255.
Line 6 'iptables -A INPUT -p ALL -d ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT'
-- I would guess that it should state -i ppp0, even though iptables will resolve -d ppp0 to an address if ppp0 is up. It could be an attempt at rp_filter but isn't applied to any interface, so I'd say it was a mistake also.
There are a lot of rules not there...
I'd suggest having a read of this tutorial and getting to know the iptables mechanism a bit better.
hi
thanks for your reply. i guess i should have posted the whole script, but yes you are correct, this is part
of a drop policy firewall.
line 1-your explanation and tutorial link cleared this up
line 2- i was clear on lo
line 3- good explanation
line 4-thanks for confirming my instinct
line 5-understand now thanks to your comments on line 1
line 6-you are right, typo on my part, should be -i ppp0(script originally for static ip)
i did not post the whole script, because since i havent actually run it, it would have all the commented
stuff, i've seen posts from folks who dont want to see all the verbosity.
anyway, thank you again for your time and help, you are right, further study needed.
But in the end, iptables -nvL & iptables -t nat -nvL give the best information coz you see the after effects of the script, what happened and what didn't happen.
Also, doing ' iptables-save > /etc/iptables.saved ' will give you a file with the whole ruleset.
Posting that is much better after you have removed your external identification.
For testing, add a lot of -j LOG rules, watch them by doing ' tail -f /var/log/messages ' in a separate terminal and then adding rules by hand with the iptables command.
Once the rules look ok, write them into a script with comments...
hi ,
excellant tips! thanks guys! i'm also going to use the linux firewalls,2nd ed, by r ziegler.
if i get the firewall up and reasonably secure, the cost of the book is still less expensive than windows
and a commercial firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.