Linux firewall configuration
From: Daniel Camps (danicamps81_at_yahoo.com)
Date: 11/30/04
- Next message: buck: "Re: some dnsmasq problems"
- Previous message: tomek: "how get state of socket in c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 30 Nov 2004 09:36:43 -0800
Hello,
I have just installed Fedora Core 3 with its firewall protection by
default. I list here the rules that are specified:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp
dpt:5353
ACCEPT udp -- anywhere anywhere udp
dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
So the packets generated in this machine are not affected at all
(nothing in the chain OUTPUT). Only the packets that arrive to
processes in this machine (INPUT) or are forwarded by this machine
(FORWARD). Now I want to use this machine as a gateway to the Internet
using NAT, so the rules defined in the chain RH-Firewall-1-INPUT are
affecting the packets coming from the LAN. I would like someone to
give me some light about these rules, for instance I don't understand
that the first rule is this "ACCEPT everything", then all the packets
should match this first rule and stop the checking, isn't it?
I don't understand either the rule with "state RELATED,ESTABLISHED",
what does it mean?
Well I have checked that if I want to provide web connectivity for the
clients in my LAN I have to add these rules at the beginning:
iptables -I RH-Firewall-1-INPUT -m tcp -p tcp -s 192.168.0.0/24 -d 0/0
--dport 80 -j ACCEPT
iptables -I RH-Firewall-1-INPUT -m tcp -p tcp -s 192.168.0.0/24 -d 0/0
--dport 53 -j ACCEPT
iptables -I RH-Firewall-1-INPUT -m udp -p udp -s 192.168.0.0/24 -d 0/0
--dport 53 -j ACCEPT
To allow the web and dns services. Well I think i will create another
chain only with the services I want to let go through. These services
in addition to the web and dns commented before, would be the MSN
messenger and the emule. Does anybody know about what ports and
protocols do I have to permit to make these services work ?
Thanks a lot !
- Next message: buck: "Re: some dnsmasq problems"
- Previous message: tomek: "how get state of socket in c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
