RE: Iptables config

To: "'Debian-security@lists.debian.org'" <Debian-security@lists.debian.org>
Subject: RE: Iptables config
From: "VERBEEK, Francois" <Francois.VERBEEK@BBL.BE>
Date: Mon, 15 Apr 2002 12:01:02 +0200
Message-id: <[🔎] 3C96057600059B13@sgvrs1.bbl.be> (added by postmaster@sgvrs1.bbl.be)

Simple and easy does the trick when working with such scripts.
it's the result of an iptables-save 

# Generated by iptables-save v1.2.5 on Mon Apr  8 18:10:23 2002
*filter
#
#DEFAULT POLICIES
#

:INPUT DROP 
:FORWARD DROP
:OUTPUT DROP 

#
# INPUT and OUTPUT chains are only used when packets are going to be treated by your machine (i.e. does not apply to forwarded packets)
#
#
#The following lines makes the con_track module to be loaded. 
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Only SSH connection from management machines allowed to get in, you may want to replace ssh by any service running on your machine, 
# and $internal_mgt by the machines you allow to speak to those services
#
-A INPUT -s $internal_mgt -p tcp -m tcp --dport 22 -j ACCEPT
#
#Note : there are nothing against spoofing or so in here... not a so good idea.
#
#Some silent drops  (there are plenty of broadcast-multicast which would fill in the logs if let to themselves...)
#
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -d $lanbcst -j DROP
-A INPUT -d 224.0.0.0/3    -j DROP
#and let's log the rest
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG
#nothing going out except connections established
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

	-----Original Message-----
	From:	Marcin Bednarz [SMTP:mbednarz@student.uci.agh.edu.pl]
	Sent:	dimanche 14 avril 2002 09:15
	To:	Lars Roland Kristiansen
	Cc:	
	Subject:	Re: Iptables config


	Hello.

	I wrote :

	>
	> # change of politics to drop
	> iptables -t nat -P PREROUTING DROP
	> iptables -t nat -P POSTROUTING DROP
	>
	> #add ssh serwer (allow incoming)
	> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j ACCEPT
	>
	> #add pop3 and imap
	> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j ACCEPT
	> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j ACCEPT
	>
	> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j ACCEPT
	> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j ACCEPT
	>
	> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
	>
	> # are you want to alow ping you machine ? (I dont know if postfix require it)
	> iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
	> iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT

	and ...
	#SMTP
	iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  -j ACCEPT


	Why it is not correct ?
	Why you use filter table, not nat ?
	I am beginner so please help me if I don't understand anything.

	Jakub S.


	-- 
	To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
	with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: Services using Ports 1 & 6
Next by Date: Re: Key servers
Previous by thread: Re: Iptables config
Next by thread: Bastian Gläßer/PD/Kreditwerk ist außer Haus.
Index(es):
- Date
- Thread