iptables newbie.

[bscott at ntisys.com]

On Sun, 8 Jun 2003, at 12:24pm, ken at flyingtoasters.net wrote:
> I've got a couple of NICs, both physical and virtual.

  What is a "virtual" interface?  Do you mean an an 802.1Q VLAN interface?
Do you mean an interface "alias" (a broadcast interface with multiple IP
addresses)?  Or do you mean your "ppp0" interface?

> Basically, I'd like to restrict eth0 (my cable modem) to only allow 80,
> 25, and 22 in-bound, and everything else (lo, eth1, ppp0), I'd like wide
> open.

  Firewalling and network security is a complex topic.  The commands below
do exactly what you ask for (plus NAT, which you implied you wanted).  
Whether or not they are a good idea is not so easily answered.

	# allow by default, per your requirements
	iptables -P INPUT   ACCEPT
	iptables -P OUTPUT  ACCEPT
	iptables -P FORWARD ACCEPT
	
	# clear all rules and user defined chains
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	
	# always allow 80, 25, and 22 inbound
	iptables -A INPUT -p TCP --dport 80 -j ACCEPT
	iptables -A INPUT -p TCP --dport 25 -j ACCEPT
	iptables -A INPUT -p TCP --dport 22 -j ACCEPT
	
	# reject "new" incoming connections on eth0
	# anything "established" or "related" will be allowed in
	# anything will be allowed out
	iptables -A INPUT -i eth0 -m state --state NEW -j REJECT
	
	# NAT packets going out eth0
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> Should NAT (which I have implemented) cause me any grief?

  It can.  Whether it will or not depends on what you're trying to do.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |