Re: IPTables rule
From: jack (not_at_all.org)
Date: 08/30/03
- Previous message: Au Naturel Productions: "Re: Security, Hacking, Encryption, Programming and Various other links [LONG]"
- In reply to: res0nlrn: "Re: IPTables rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Aug 2003 22:52:21 +0200
res0nlrn wrote:
> Currently I am shorewall http://www.shorewall.net as my firewall and
> ofcourse I am using IP Masq.
>
> Werner Jansen wrote:
>>> ->DSL->GATEWAY(DebianWoody)->Switch
>>>
>>> I have IPTables rules to filter inbound and outbound traffic. How I
>>> filter traffic to computers connected to switch. I want these computer
>>> to have only http access.
>>
>> Assuming, you have the connection tracking module loaded:
>>
>> -A FORWARD -i $ETHINT -o $ETHEXT -p tcp --syn -m state --state NEW
>> --dport 80 -j ACCEPT
>>
>> Then you need a line like this:
>> -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>> This allows all packets to established connections allowed earlier
>> with -m state --state NEW and is more secure than allowing incoming
>> packets with source port 80.
>>
>> PS: Did you think about masquerading your interln ip addresses?
Ok, I don't know exactly what shorewall does, but in principle, using
masquerading in combination with what Werner wrote is what You need:
Allow new outgoing packets with a destination port of 80, or other http
ports (some servers use :8080 and the like, and for encrypted sites,
there are other ports), should be allowed out. But, and that is why You
should use masquerading, if You simply forward them into the wild those
packets will have their internal IP in the sender field, which I may
assume is a private one. Packets with a private IP in the destination
field, though, will not be routed through the internet. So You need to
give the http server a valid return address where it can send its reply
to. Hence, You need to masquerade those packets. Consequently, You need
to allow those packets to be forwarded back to the local net.
Even if You say that You want to only allow http traffic through Your
gateway/firewall, bear in mind that Your clients will probably need DNS,
too (outbound udp and tcp with dport 53), unless You run Your own name-
server somewhere inside.
If You use shorewall already, the best way to go would be to withdraw
all its rules one by one, and check whether or not that rule was an
essential one for Your setup to work or not [let's replace "best way"
by "safest strategy", because it may be a bit time-consuming in the
end...].
Cheers, Jack.
-- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"...
- Previous message: Au Naturel Productions: "Re: Security, Hacking, Encryption, Programming and Various other links [LONG]"
- In reply to: res0nlrn: "Re: IPTables rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
