Differences between version 18 and predecessor to the previous major change of PerrysFirewallingScript.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 18 | Last edited on Friday, February 25, 2005 4:00:41 pm | by AlastairPorter | Revert |
| Older page: | version 13 | Last edited on Tuesday, June 10, 2003 12:29:10 am | by PerryLorier | Revert |
@@ -1,5 +1,5 @@
- cvs -d :pserver:anonymous@cvs.wand
.sf.net:/cvsroot/wand checkout iptables
+ cvs -d :pserver:anonymous@cvs.sf.net:/cvsroot/wand checkout iptables
Or get the Debian packages from CraigBox (when Hoiho's repository is up, you'll know)
The firewall logs, and by default, syslog will put this on the screen. You can turn that off using dmesg(8). Specifically, you want to type dmesg -n 1. Or edit /etc/syslog.conf to put all the logging on another console. Firewalls shouldn't have monitors anyway. :)
@@ -15,12 +15,17 @@
!!The interfaces.d directory
This has one file per interface, the file is named after the interface with ".if" appended to it, for instance "eth0.if". Each file specifies the rules for that interface. ${if} is an environmental variable which holds the current interface name. Several chains exist for each interface:
;${if}-in: Used by all packets entering by this interface for this host only.
;${if}-out: Used by all packets leaving by this interface for this host only.
-;${if}-forward-in: Used by packets that are forwarded from
this interface to another
host on another interface
.
-;${if}-forward-out: Used by packets that are forwarded to
this interface to another
host on another interface.
+;${if}-forward-in: Used by packets coming IN this interface
that aren't destined for
this host itself
.
+;${if}-forward-out: Used by packets going OUT an interface
that aren't originated by
this host itself
;${if}-postrouting-out: Used by packets that are leaving this interface after routing has taken place.
;${if}-prerouting-in: Used by packets that have entered this interface before routing has taken place.
+
+eg
+* Dropping port 80 on forward-in on ppp0 will disallow people on the internet to connect to port 80 internally
+* Dropping port 80 on forward-out on ppp0 will disallow people internally from connecting out to the internet on port 80
+
You could use "${IPTABLES} --append ${if}-in ..." to add the rules for this interface, but because this is so common there is a function to do it for you called apply_policy. you use it like:
apply_policy in ....
or
apply_policy out ....
@@ -96,8 +101,9 @@
;__A__:You don't have a catch all rule for something in one of your class files. Look at the syslog messages carefully and see what interface they are dealing with and which rule you are missing.
!!Wishlist features
These are all wishlist features which may or may not get implemented :)
-;renaming
interfaces based on their category: eg
: "External0" "External1" "Internal1" "Internal2",
thusly when an interface comes up it is named by it's purpose. Useful for those machines that have 10+ interfaces and you can never remember which is which, also important when you have multiple ppp0, or VPN interfaces that may come up in any order (do you set the permissive rule on ppp0 or ppp1?) -- Superseeded
by a program whose name I forget which has a file of MAC->interfacenames and when run renames interfaces as required. Rather nifty.
-;some
saner defaults:A simple default so if you run the script straight out of CVS it probably does what you want. Go get the deb if you need this.
-;use
iptables-save and restore to speed shutdown/startup of script?:
-;transparent
support of ipv6:Needs investigating
+; Renaming
interfaces based on their category : "External0" "External1" "Internal1" "Internal2" etc -
thusly when an interface comes up it is named by it's purpose. Useful for those machines that have 10+ interfaces and you can never remember which is which, also important when you have multiple ppp0, or VPN interfaces that may come up in any order (do you set the permissive rule on ppp0 or ppp1?) %%% 1. Superceded
by a program whose name I forget which has a file of MAC->interfacenames and when run renames interfaces as required. Rather nifty. %%% 2. With ppp interfaces, bring them up with 'unit N' in the command line, and they will take on that number. Solves the problem nicely. You might need pppd 2.4.2
.
+;Some
saner defaults : A simple default so if you run the script straight out of CVS it probably does what you want. Go get the deb if you need this.
+;Use
iptables-save and restore to speed shutdown/startup of script? : Not really worth the effort...
+;Transparent
support of ipv6 : Needs investigating
+;Automatically load ip_nat_* modules :
