firewalling...

Ian Molton imolton at clara.net
Sun Oct 7 16:15:26 PDT 2001


On stardate Sun, 7 Oct 2001 23:43:28 +0200
Daniel began the full scale invasion of earth with the following words:

> 
> Ian Molton <imolton at clara.net> wrote:
> 
> >>    --->PRE------>[ROUTE]--->FWD---[ROUTE]----->POST------>
> >>        mangle       |      filter    ^         nat
> >>        nat          |                |
> >>                     |                |
> >>                     v                |
> >>                     IN filter       OUT mangle
> >>                     |                ^  nat
> >>                     |                |  filter
> >>                     v                |
> >> 
> >> 

Ok, so If I have this right (which I obviously havent), then this should
work:

$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT

/sbin/modprobe ip_conntrack_ftp

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


but it doesnt - the firewalled box cannot do anything.

If I change the forward chains policy to accept, I can do passive ftp from
the firewalled box, but not active mode.

any ideas?
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list