hi,
can I get a sanity check? here's my iptables script, for a firewall on my home network, and the result of iptables -L
is this working?
(also, the LOG line makes my hard disk thrash terribly so I commented it out). This is from an article I found on the web. Thanks!

/sbin/modprobe iptable_nat
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
# /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

when i run iptables -L here'swhat I get

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

a couple of things....

1st best to make the defaut policy of all chains DENY and then selectively let though what you want so

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

then accept anything from the actual firewall machine and any other local machines

iptables -A INPUT -i lo -j ACCEPT // this line is fine but add

iptables -A INPUT -i eth1 -j ACCEPT //assuming that eth1 is the card connected to your local network

i would change
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

to

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

that way any local traffic will travel unimpeeded to the firewall

you will also want to create a rule for forwarding
iptables -A FORWARD -i eth0 -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
or something like that. Also

iptables -A FORWARD -i eth1 -j ACCEPT

and then through in your MASQUERADE line at the end.

** NOTE ** this is far from a perfect firewall, it is a start, more secure than the one you posted but really needs some more work before you should rely on it. My advice is to shut down everything and then selectively open it up until you have a working system. I aslo recommend checking out this link on Connection Tracking

Rich

thanks!
(the Connection Tracking article will take some study
now I want to be able to ping this machine from inside my lan but it is blocked.

Thanks for our answers to this and my related thread here. Some one suggested an excellent article at http://www.linuxsecurity.com/resourc...-tutorial.html which covers it for me.