Reply With QuoteI'll better explain why you need these options by going through exactly what you script currently does--
Now, so far, you don't have a firewall. Because you have not defined a default DROP policy, this box will accept all packets destined to it, and to be forwarded through it, by default. The only thing that somewhat protects your LAN is that this box is NATTING its connection. But this is not really a good defense. So far, all you have here is a router.# this line here turns on ip_forwarding, in other words, makes this box a router
echo 1 > /proc/sys/net/ipv4/ip_forward
# this line flushes any rules that may exist. So far so good.
iptables --flush
# this flushes any nat tables that might have been built. Still good.
iptables --table nat --flush
# Now here is a problem: this line deletes user defined chains that you have not and do not define
iptables --delete-chain
# same as above
iptables --flush --delete-chain
# this turns on natting
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQERADE
#this adds a rule to forward traffic, but it seems incomplete since it accomidates traffic bound only at eth0. AFAIK, you must accomidate inbound and outbound traffic. In other words, traffic from the LAN to the WAN and vice versa. I think this line only works on your box because you computer is accepting all connections by default.
iptables --append FORWARD --in-interface eth0 -j ACCEPT
The need for the options comes from the fact that the goal is a firewall. Without INPUT, OUTPUT or FORWARDING rules you do not have a firewall. Right now this script is making zero decisions on what to do with a packet based upon any sort of criteria. Hence, this not a firewall. Have I mentioned that already?
I'll admit, what I typed up may not be 100% correct as I did it in about five minutes before I left for work. But the syntax is correct enough to show you how to write a basic firewall rule.
I'm going to put a line in code, then in plain english so you can see how iptables syntax works:
This translates to , roughly, to:Code:iptables -A INPUT -i $external_interface -p tcp --destination-port 80 -j ACCEPT
Add a rule to any existing rules (append) I may have already created that will accept tcp input destined for port 80 on my computer's external network card, from anywhere on the internet,
-a = append
-i = the interface traffic is flowing into to
-p = protocol
-j = what to do with the packet: ACCEPT, DROP, or LOG
$external_interface = a variable to be set for whatever your inteface is: eth0, eth1, etc.
You would want such a rule because your computer should be dropping everything not explicitly allowed by default. To do this, you need to set up a default policy as such:
I don't want to be rude and shout RTFM, but in this case I think you really need to. Between this and other posts it seems that you want to build a firewal without actually understanding how to build a firewall. This is putting the cart before the horse. I would browse the netfilter website. Read the man pages. Buy a book. Read a HOWTO.Code:iptables -P INPUT DROP
Bookmarks