Firewalling (sorry, I didnt see this show up so Im posting again)

Ian Molton imolton at clara.net
Sun Oct 7 16:54:37 PDT 2001


On stardate Sun, 7 Oct 2001 23:43:28 +0200
 Daniel began the full scale invasion of earth with the following words:

 > 
 > Ian Molton <imolton at clara.net> wrote:
 > 
 > >>    --->PRE------>[ROUTE]--->FWD---[ROUTE]----->POST------>
 > >>        mangle       |      filter    ^         nat
 > >>        nat          |                |
 > >>                     |                |
 > >>                     v                |
 > >>                     IN filter       OUT mangle
 > >>                     |                ^  nat
 > >>                     |                |  filter
 > >>                     v                |
 > >> 
 > >> 

 Ok, so If I have this right (which I obviously havent), then this should
 work:

 $IPTABLES -t filter -P INPUT DROP
 $IPTABLES -t filter -P FORWARD DROP
 $IPTABLES -t filter -P OUTPUT ACCEPT

 /sbin/modprobe ip_conntrack_ftp

 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A INPUT -m state --state INVALID -j DROP

 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


 but it doesnt - the firewalled box cannot do anything.

 If I change the forward chains policy to accept, I can do passive ftp from
 the firewalled box, but not active mode.

 any ideas?
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list