Policy Misunderstanding: RTFM Guidance Requested.

Mike 1100100 at gmail.com
Wed Sep 1 20:12:56 CEST 2004


> Better to let things through the mangle and nat tables, and do filtering in
> the filter table.  There have been folks who like to drop things in the
> mangle and nat tables, but setting actual DROP policies makes life very
> difficult.

This seems like sound advice after what I've been through.  Maybe the
folks in The Matrix can bend the laws of physics with relative ease,
but for myself, I can barely achieve 'dude' status.  I think I'll
ACCEPT mangle and nat, and get some sleep tonight.  :-)

>         There is no definition of the SOURCE that you want to drop ICMP echorequests
> from.  Thus this rule drops all ping echorequests.
>         iptables -t filter -A INPUT -p icmp -i [internet pipe device] -icmp-type \
> echo-request -j DROP
>         will allow your LAN users to ping the box, but prevent pings from the
> internet from getting in.

Oh I see.  By stating specifically the internet-facing device, you
make it possible for LAN clients to ping the box through the gateway
NIC - eth1, while the rule blocks all the other echo requests.

>         Really and truely -- Oskar's tutorials are great and easy to read... and even
> the sample firewalls there are decent enough to start with for a newbie.
> 
I definitely feel more secure about working on my firewall knowing
that this reference material is around.  It's packed.

Thanks again, Alistair.
It's great to have your assistance.

Mike



More information about the netfilter mailing list