From: Iain Buchanan <iaindb@netspace.net.au>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Help with script for iptables
Date: Thu, 16 Nov 2006 09:56:41 +0930 [thread overview]
Message-ID: <1163636801.16385.109.camel@orpheus> (raw)
In-Reply-To: <200611152029.35737.michaelkintzios@gmail.com>
On Wed, 2006-11-15 at 20:29 +0000, Mick wrote:
> Hi All,
>
> I have been using Daniel Robbins' basic script for years but now on a laptop I
> have more than one ways of connecting to the Internet. The script uses the
> variable UPLINK to define the incoming interface like so:
> ==============================================
> #change this to the name of the interface that provides your "uplink"
> #(connection to the Internet)
you could try modifying the script slightly:
> UPLINK="eth0"
make that
UPLINK="eth0 ppp0" # space separated
then I was going to say use a
for i in x; do ...; done
loop, but I realised that won't work exactly, because of the line
> iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
then something strange would happen.
What you're really saying is "for every interface not specified, accept
incoming packets". This gets a bit tricky, cause you either have to
parse the output of ifconfig (ugly) or specify the interface that are
NOT "uplinks" (prone to user error).
You could say:
UPLINK="eth0 wlan0 ppp0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do
for UPIFS in ${UPLINK}; do
# if IFS isn't in UPIFS, then accept all trafic on IFS
if ...
forget that! too ugly. What are you really trying to do? Make all your
interface the "uplink", ie. firewalled?
In that case, just say this:
> UPLINK="who cares?"
>
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
done! Now everything is firewalled, and only lo is trusted.
However, I haven't seen the rest of this script, so I don't know if that
will break things. Maybe you want to post back with some more info if
that doesn't suit your needs...
cya!
--
Iain Buchanan <iaindb at netspace dot net dot au>
"How many people work here?"
"Oh, about half."
--
gentoo-user@gentoo.org mailing list
prev parent reply other threads:[~2006-11-16 0:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-15 20:29 [gentoo-user] Help with script for iptables Mick
2006-11-15 21:25 ` Flophouse Joe
2006-11-15 23:15 ` Mick
2006-11-16 1:15 ` Flophouse Joe
2006-11-16 9:20 ` Mick
2006-11-16 15:19 ` Nangus Garba
2006-11-16 18:05 ` Mick
2006-11-16 0:26 ` Iain Buchanan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1163636801.16385.109.camel@orpheus \
--to=iaindb@netspace.net.au \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox