Re: MSN Messenger Behind a NATting IPtables Firewall
From: NeoSadist (neosad1st_at_charter.net)
Date: 01/17/04
- Next message: brettg: "NIS user account woes"
- Previous message: Urs Thuermann: "Problems with VLAN and Adaptec DuraLink NIC"
- In reply to: Meron Lavie: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Next in thread: Walter Mautner: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: Walter Mautner: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: Dr. Chandra: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: alvin: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 17 Jan 2004 15:28:31 -0700
Meron Lavie wrote:
> OK - I apologize for the MSFT quip.
>
> My iptables knowledge is not great. By stateful, do you mean if I have the
> following in my firewall?:
Usually stateful works like this (for non-icmp stuff):
iptables -A INPUT -i eth0 -p ! icmp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p ! icmp -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
(the \ means that the next line continues the command)
I.e. the generally accepted stateful setup is to allow only new connections
outbound, but established (i.e. we started the connection) and related
(i.e. related to something we started) are ok both incoming and outgoing.
What I meant was that if you're only doing that, and not filtering the ports
themselves, you should be fine. Port-filtering firewalls are different
than stateful firewalls. Port-filtering assumes that only good traffic
comes in and goes out on certain ports, so it filters based on the port #.
Stateful filters based on the (abstract) state of the connection, which can
be better, or at least simpler, for home users. I prefer a combination of
the two, but what I was asking is if you're filtering based on the port or
on the state.
A port filtering firewall would look more like this:
# HTTP:
iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
# DNS:
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
itpables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Why are you using forward? Does this box act as a router/firewall?
>
> because I do.
>
> From reading some sites on the web, it would ssem that I also need to
> supply IGP/UPnP support for iptables, but the solutions I found for this
> seem so complicated to install that Linus himself couldn't get it up and
> running.
IGMP? I don't allow that protocol at all, and I usually block it for
security reasons.
UPnP? I also don't use that for security reasons, and the fact that I
absolutely hate WinXP.
>
> Any ideas?
Uh, yeah, tell me what you're wanting to do with the firewall and where how
this machine is being used, and your progress so far.
-- Tomorrow, you can be anywhere.
- Next message: brettg: "NIS user account woes"
- Previous message: Urs Thuermann: "Problems with VLAN and Adaptec DuraLink NIC"
- In reply to: Meron Lavie: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Next in thread: Walter Mautner: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: Walter Mautner: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: Dr. Chandra: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Reply: alvin: "Re: MSN Messenger Behind a NATting IPtables Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
