opening up an ipchain
Alex Feldman
alex at alexandrite.boisestate.edu
Tue Nov 14 21:55:02 CET 2006
Hi,
I will start out by admitting I know very little about iptables. I have
read several tutorials and tried to find the answer to this on the web
in the list archive and elsewhere, but I could not. So this question
may be frighteningly easy or ill-posed, and I would appreciate help
regarding where to look for an answer as well as the answer itself. And
I know nothing about ipchains.
I have a computer running FC5 that I mostly want closed off to the
world. The two things I want to come in are email and http requests, as
I run a web server there. I left iptables on in sysconfig, but it
appears to do very little if anything, so I added my own chains that I
run out of rc.local. Here is the guts of what I do:
*****************************************************************
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 25 --sport 1024:65535 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state
--state NEW -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0
-p tcp
*********************************************************************
Some of this I copied off the web, and I do not understand why I need
all of it, e.g., all the 1024:65535 port identifiers. But it works, or
seems to, and I am happy with it.
However, I would like to open up the computer further, maybe not all the
way but for the moment that would be OK, to my own laptop via its mac
address - I figure that would be pretty safe, but if not, I'd like to
hear why not. So I added the line:
iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
and some variations on it, like with "-p all" in there, at various
places in the file, but none of them worked (and they all had my real
mac address in there, I just took it out before I displayed this to the
world).
Is the problem that I have it in the wrong place in the chain, or
something else? I really don't understand the difference between -A and
-I, especially since the basic file seems to work even though the first
thing I do is drop all input, and then allow some back later.
I'd appreciate any help I can get here. Thanks very much.
--
--alex alex at math.boisestate.edu
<a href="http://math.boisestate.edu/~alex/">Alex Feldman</a>
More information about the netfilter
mailing list