Jason Opperisano opie at 817west.com
Tue Sep 28 16:04:00 CEST 2004

On Tue, 2004-09-28 at 04:19, Contact wrote:
> This helps a bit, but still way out of my league - there is a lot of stuff
> to remember. In the many sites, including the one you list below, they talk
> of various configurations before ever getting to the rules - is this
> necessary?
> i.e.
> INET_IP=""
> INET_IFACE="eth0"
> LAN_IP=""
> LAN_IFACE="eth1"

necessary, no.  but it is a standard scripting practice that makes your
life easier.  would you rather specify "eth0" 50 times in your script,
and then have to change it 50 times when something hardware-wise
changes?  or just change one thing that says "INET_IF=eth0"

> Then a bunch of modules are loaded....

almost all modules are loaded automatically as needed by the kernel. 
you should explicitly load "helper" modules that you expect to need;

        modprobe ip_conntrack_ftp
        modprobe ip_nat_ftp

> Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
> something in here. I am assuming these are variables and tie in with the
> above - not sure though.

there are no such reserved words/commands with respect to iptables.  it
simply does what you tell it to.

> Note: All the other LAN clients have access to the internet via the Linksys
> router as does the Linux box. The router is my gateway....
> One last thing. Is there a way to block an entire domain i.e. domain.com or
> an entire IP block i.e

domain--no, not really.

IP block--yes:


> Thanks

no prob.  i know it's already been recommended once, but you ready
should hit this up and down:



Jason Opperisano <opie at 817west.com>

More information about the netfilter mailing list