howdy all,
my external connection is ppp0, my internal connection is eth0.
i am "borrowing" an iptables script that suits my home network pretty well.
but a couple of questions:
from INPUT chain: (all ips changed to protect the innocent)

# (3) INPUT chain rules

# Rules for incoming packets fom LAN
iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i ppp0 -s -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.0.255 -j ACCEPT

# Rules for incoming packets from the internet

# Packets for established connections
iptables -A INPUT -p ALL -d ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

i'm not real comfy with line 1- i dont have 254 pcs on my network. i only have 4.can i state this as
192.168.0.1,192.168.0.2,192.168.0.3,192 etc.? in one line? or i guess i could add each pc in a seperate line?

the sample script has line 3 as -i lo xxx.xxx.x.x, so i followed along. but it doesnt look right. why would lo
be related to xxx.xxx.x.x?

my isp uses dynamic ip addressing, so i think i'm supposed to put -i ppp0 in line 4 , but ,confusion,
why would i have incoming LAN traffic from the internet?
i am certainly no expert on firewalls, iptables, etc, but somehow the above example seems to be
kind of duplicating effort? i have not tried this yet, any input from knowlegdible folks will be greatly
appreciated, and yes i am rtfm, howtos, etc, books, but its not reaching my inner processor!

OK,
Line 1 'iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT'
-- allows traffic from your known network into the box on the LAN interface. The network can be /24 if you want, but it must include the broadcast address. This is a standard rule.

Line 2 'iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT'
-- allows the box to talk to itself internally. Standard stuff again if you have a default DROP policy.

Line 3 'iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT'
-- allows the box to talk to itself from it's eth0 ip number. Standard stuff for a DROP policy.

Line 4 'iptables -A INPUT -p ALL -i ppp0 -s -j ACCEPT'
-- is a mistake. It allows ALL traffic coming into ppp0 from anywhere... In later versions of iptables it will throw up an error coz -s has no values stated and wouldn't load the rule, leading to 'unexpected behaviour'. Something will need to be added to allow traffic on ppp0. (I suspect the default policy is DROP)

Line 5 'iptables -A INPUT -p ALL -i eth0 -d 192.168.0.255 -j ACCEPT'
-- is also a mistake. There shouldn't be any traffic on that address if the netmask is /16. That broadcast address would be 192.168.255.255.

Line 6 'iptables -A INPUT -p ALL -d ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT'
-- I would guess that it should state -i ppp0, even though iptables will resolve -d ppp0 to an address if ppp0 is up. It could be an attempt at rp_filter but isn't applied to any interface, so I'd say it was a mistake also.

There are a lot of rules not there...

I'd suggest having a read of this tutorial and getting to know the iptables mechanism a bit better.

hi
thanks for your reply. i guess i should have posted the whole script, but yes you are correct, this is part
of a drop policy firewall.
line 1-your explanation and tutorial link cleared this up
line 2- i was clear on lo
line 3- good explanation
line 4-thanks for confirming my instinct
line 5-understand now thanks to your comments on line 1
line 6-you are right, typo on my part, should be -i ppp0(script originally for static ip)

i did not post the whole script, because since i havent actually run it, it would have all the commented
stuff, i've seen posts from folks who dont want to see all the verbosity.
anyway, thank you again for your time and help, you are right, further study needed.

You're right, scripts can be very hard to read...

But in the end, iptables -nvL & iptables -t nat -nvL give the best information coz you see the after effects of the script, what happened and what didn't happen.

Also, doing ' iptables-save > /etc/iptables.saved ' will give you a file with the whole ruleset.
Posting that is much better after you have removed your external identification.

For testing, add a lot of -j LOG rules, watch them by doing ' tail -f /var/log/messages ' in a separate terminal and then adding rules by hand with the iptables command.
Once the rules look ok, write them into a script with comments...

I thought the same thing when I first got my tables going. I did this:
HOST1=192.168.2.1 #just examples
HOST2=192.168.2.2
HOSTN=192.168.1.N

iptables -A INPUT -p ALL -i eth0 -s $HOST1 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -s $HOST2 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -s $HOSTN -j ACCEPT

I ended locking it down much more than that by filtering ports, and only allowing 3 ICMP packets in a minut and so on.

Have fun with it!

hi ,
excellant tips! thanks guys! i'm also going to use the linux firewalls,2nd ed, by r ziegler.
if i get the firewall up and reasonably secure, the cost of the book is still less expensive than windows
and a commercial firewall.