Iptables

Jason Opperisano opie at 817west.com
Tue Sep 28 16:04:00 CEST 2004


On Tue, 2004-09-28 at 04:19, Contact wrote:
> This helps a bit, but still way out of my league - there is a lot of stuff
> to remember. In the many sites, including the one you list below, they talk
> of various configurations before ever getting to the rules - is this
> necessary?
> 
> i.e.
> 
> INET_IP="194.236.50.155"
> INET_IFACE="eth0"
> INET_BROADCAST="194.236.50.255"
> 
> LAN_IP="192.168.0.2"
> LAN_IP_RANGE="192.168.0.0/16"
> LAN_IFACE="eth1"

necessary, no.  but it is a standard scripting practice that makes your
life easier.  would you rather specify "eth0" 50 times in your script,
and then have to change it 50 times when something hardware-wise
changes?  or just change one thing that says "INET_IF=eth0"

> Then a bunch of modules are loaded....

almost all modules are loaded automatically as needed by the kernel. 
you should explicitly load "helper" modules that you expect to need;
i.e., 

        modprobe ip_conntrack_ftp
        modprobe ip_nat_ftp

> Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
> something in here. I am assuming these are variables and tie in with the
> above - not sure though.

there are no such reserved words/commands with respect to iptables.  it
simply does what you tell it to.

> Note: All the other LAN clients have access to the internet via the Linksys
> router as does the Linux box. The router is my gateway....
> 
> One last thing. Is there a way to block an entire domain i.e. domain.com or
> an entire IP block i.e 24.168.1.0/24.

domain--no, not really.

IP block--yes:

        -s 24.168.1.0/24
        -d 24.168.1.0/24

> Thanks

no prob.  i know it's already been recommended once, but you ready
should hit this up and down:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list