* [gentoo-user] Help with script for iptables
@ 2006-11-15 20:29 Mick
2006-11-15 21:25 ` Flophouse Joe
2006-11-16 0:26 ` Iain Buchanan
0 siblings, 2 replies; 8+ messages in thread
From: Mick @ 2006-11-15 20:29 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1158 bytes --]
Hi All,
I have been using Daniel Robbins' basic script for years but now on a laptop I
have more than one ways of connecting to the Internet. The script uses the
variable UPLINK to define the incoming interface like so:
==============================================
#change this to the name of the interface that provides your "uplink"
#(connection to the Internet)
UPLINK="eth0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[snip...]
==============================================
I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, ppp0.
How am I supposed to do this? I've tried space, comma and colon as
delimiters, but all fail. I've also tried entering UPLINK="iface_name" one
on each line, but the last line seems to be the one that is always used.
I'd very much appreciate your script savvy guidance here, because I couldn't
fight my way out of a paper bag when it comes to scripting . . . :)
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [gentoo-user] Help with script for iptables 2006-11-15 20:29 [gentoo-user] Help with script for iptables Mick @ 2006-11-15 21:25 ` Flophouse Joe 2006-11-15 23:15 ` Mick 2006-11-16 0:26 ` Iain Buchanan 1 sibling, 1 reply; 8+ messages in thread From: Flophouse Joe @ 2006-11-15 21:25 UTC (permalink / raw To: gentoo-user On Wed, 15 Nov 2006, Mick wrote: > iptables -P INPUT DROP > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, ppp0. It sounds like you want to write a rule that says, "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0, then do ${something} with it." I have never found a good way to do this, but I have found several bad ways of doing this. :) Here is one of the easiest of the bad ways: Make separate rules which effectively test for each of the interfaces you're interested in. If the rules match, then make the packets jump to a new chain for further testing. Let's use eth0, wlan0, and ppp0 as an example. Assume that you've got these interfaces bound on a Gentoo system acting as a firewall and NAT device. You trust eth0 and wlan0, as these are the interfaces from which you connect to the system. You don't trust ppp0, as its IP address is publicly routable. You wish to be able to SSH into the Gentoo system from hosts on the eth0 and wlan0 interfaces, but not from packets arriving on the ppp0 interface. You can't write a rule like the following: iptables -A INPUT -i eth0,wlan0 -p tcp --dport ssh -j ACCEPT So instead you write rules like this: iptables -N in-from-trusted iptables -A INPUT -i eth0 -j in-from-trusted iptables -A INPUT -i wlan0 -j in-from-trusted iptables -A in-from-trusted -p tcp --dport ssh -j ACCEPT Consider how this works. Assume that one of your trusted hosts on the eth0 segment sends a new SSH packet to the Gentoo system. The SSH packet hits the "INPUT" chain, where it matches the first rule because it arrives on the eth0 interface. The packet them jumps (-j) to the chain in-from-trusted. The packet matches the first rule in this chain because its destination tcp port is 22, and so the packet is accepted. The same rules apply for an incoming ssh packet arriving on the wlan0 interface. If an ssh packet comes in on the ppp0 interface, it won't match any of the rules from the INPUT chain listed above, and-- assuming that there are no further rules in the INPUT chain-- its fate will be that of the policy of the INPUT chain: DROP. Finally, consider a packet arriving on the wlan0 interface whose destination tcp port is, say, http . This packet will match the rule "-A INPUT -i wlan0" and it will jump to the in-from-trusted chain. It won't match the rule in in-from-trusted "-p tcp --dport ssh", and so it won't be accepted here. This method works well enough in this example, but gets unwieldly quickly if taken to its logical extreme. I once maintained a set of iptables rules that was written entirely in this method. It was nothing but a series of "tests" chained together with jumps and returns. Even though I wrote it, it was nearly impossible for me to follow and debug it: tracing a packet required consulting five or six chains, and inserting new rules was a chore because it was always necessary to avoid inserting a rule in such a way to short-circuit an existing "test". I warned you this was a bad way. :) It's entirely possible that I'm misunderstanding the design of netfilter, but it seems to me that the solution to complicated rulesets is to permit boolean logic in rules like so: iptables -A INPUT \ \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ -j ACCEPT Joe -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-15 21:25 ` Flophouse Joe @ 2006-11-15 23:15 ` Mick 2006-11-16 1:15 ` Flophouse Joe 0 siblings, 1 reply; 8+ messages in thread From: Mick @ 2006-11-15 23:15 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1790 bytes --] Thanks Joe, On Wednesday 15 November 2006 21:25, Flophouse Joe wrote: > On Wed, 15 Nov 2006, Mick wrote: > > iptables -P INPUT DROP > > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT > > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, > > ppp0. > > It sounds like you want to write a rule that says, > > "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0, > then do ${something} with it." Yes. I was thinking is it possible to define the interfaces like: UPLINK="eth0 wlan0 ppp0" and then add something like: ===================================================== for x in ${INTERFACES} do iptables -A INPUT -i ! ${x} -j ACCEPT . . . more rules . . . iptables -A INPUT -p tcp -i ${x} -j DROP fi ===================================================== type of think. Not sure if the syntax is correct, but the idea is that we define multiple interfaces, but only write the rules once with the variable 'x' where the interface is meant to go. > Here is one of the easiest of the bad ways: > > Make separate rules which effectively test for each of the interfaces > you're interested in. If the rules match, then make the packets jump to > a new chain for further testing. That's a simple enough way although as you say it can quickly get complicated especially so if you want to modify rules, change chains and so on. > It's entirely possible that I'm misunderstanding the design of > netfilter, but it seems to me that the solution to complicated rulesets > is to permit boolean logic in rules like so: > > iptables -A INPUT \ > \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ > -j ACCEPT Is there a legit way of specifying such rules? -- Regards, Mick [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-15 23:15 ` Mick @ 2006-11-16 1:15 ` Flophouse Joe 2006-11-16 9:20 ` Mick 0 siblings, 1 reply; 8+ messages in thread From: Flophouse Joe @ 2006-11-16 1:15 UTC (permalink / raw To: gentoo-user On Wed, 15 Nov 2006, Mick wrote: > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote: >> On Wed, 15 Nov 2006, Mick wrote: > UPLINK="eth0 wlan0 ppp0" > for x in ${INTERFACES} > do > iptables -A INPUT -i ! ${x} -j ACCEPT > . . . more rules . . . > iptables -A INPUT -p tcp -i ${x} -j DROP > fi > ===================================================== > type of think. Not sure if the syntax is correct, but the idea is that we > define multiple interfaces, but only write the rules once with the > variable 'x' where the interface is meant to go. I'm not 100% certain that I understand the goal, so please let me know if I've gotten it wrong. It sounds like you want to apply identical firewall rules to each of three interfaces. It's possible that there are other interfaces, and if traffic arrives on those interfaces, then it should not be matched by the rules in the for loop. If this is the case, then yes, the for loop you've suggested should be perfectly fine. The rules you specify in that loop will only be applied to traffic which arrives on the interfaces that you loop through. If you're anything like me, you'll find the rules created in this manner slightly difficult to read from the output of "iptables -vnL", but you'd have the same problem using the test-then-jump method I mentioned in my previous post. As near as I can tell, this is a limitation of iptables (or netfilter) itself, in that (to the best of my knowledge) it isn't possible to specify a rule that matches multiple interfaces whose names don't begin the same way. >> It's entirely possible that I'm misunderstanding the design of >> netfilter, but it seems to me that the solution to complicated rulesets >> is to permit boolean logic in rules like so: >> >> iptables -A INPUT \ >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ >> -j ACCEPT > > Is there a legit way of specifying such rules? Not that I'm aware of, but I'd very much like to be proven wrong. Does anyone else on the list know of a way to specify boolean conditions in iptables rules as illustrated above? For what it's worth, I have found a way to get something that approximates the ability to use ORs in iptables rules, but it borders on the criminially insane. I describe it below: I have a Gentoo system in my house which acts as a firewall and NAT gateway. It has three network interfaces: eth0 connects to the public internet, eth1 connects to a non-routable network segment, eth2 connects to a non-routable wireless access point left wide open. I wish for some hosts-- and only some hosts-- to be able to connect to the wireless access point and have their traffic masqueraded out to the public internet. Since I'm dealing with a very small number of hosts, and since these hosts are directly connected to the Gentoo system's ethernet segment, I've decided to filter traffic from the wireless access point based on the source MAC address of the ethernet frames coming from the wireless access point. Let's say that I trused the hosts with MAC address 00:11:22:33:44:55 and with MAC address 00:22:44:66:88:AA, and I wished for these hosts to have their traffic forwarded out to the internet without any restrictions whatsoever. This would be simple enough: iptables -A FORWARD -i eth2 -o eth0 \ -m mac --source-mac 00:11:22:33:44:55 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 \ -m mac --source-mac 00:22:44:66:88:AA -j ACCEPT But in reality, the rules are a bit more complicated. I disallow outgoing access to SMTP and BitTorrent, for example. I also disallow outgoing traffic to certain UDP ports. These rules add up quickly. It's possible to collapse some of these rules using -m multiport , but I still end up with a few rules for each of the hosts that are being forwarded from the wireless interface to the public. And since I can't test for multiple MAC addresses in one rule, I need separate rules for each host. I've got about six hosts connecting to the wireless access point, and I've got three rules for each host. Because I can't "OR" rules together, I've got 6 x 3 = 18 rules to juggle. This isn't too big of a deal if I wrap it up in a for loop, but it's still unsightly to look at in the output of "iptables -vnL" I've used the connmark match and the CONNMARK target to get the same effect. In table mangle chain PREROUTING, I have rules that look like this: iptables -t mangle -A PREROUTING \ -m mac --mac-source 00:11:22:33:44:55 \ -j CONNMARK --set-mark 0x1/0x1 iptables -t mangle -A PREROUTING \ -m mac --mac-source 00:22:44:66:88:AA \ -j CONNMARK --set-mark 0x1/0x1 iptables -t mangle -A PREROUTING \ -m mac --mac-source 33:66:99:CC:FF:00 \ -j CONNMARK --set-mark 0x1/0x1 And now I can collapse the rules in table filter, chain FORWARD like so: iptables -A FORWARD -p tcp -m multiport ! --dports 25,6881 \ -i eth2 -o eth0 -m connmark 0x1/0x1 -j ACCEPT iptables -A FORWARD -p udp -m multiport ! --dports 123,456 \ -i eth2 -o eth0 -m connmark 0x1/0x1 -j ACCEPT The "connmark 0x1/0x1" business sets a bit associated with the connection; think of it as setting a variable and then checking for it later. The above two rules are effectively saying the following: iptables -A FORWARD -p tcp -m multiport ! --dports 25,6881 \ -i eth2 -o eth0 \ -m mac --mac-source mac-1,mac-2,mac3 \ -j ACCEPT iptables -A FORWARD -p tcp -m multiport ! --dports 123,456 \ -i eth2 -o eth0 \ -m mac --mac-source mac-1,mac-2,mac-3 \ -j ACCEPT As you can see, this method is pretty complicated, too. It's not really any substitute for "real" boolean logic (as described near the top of this post). If anyone knows of a way to do this, I'd like to know about it. Joe -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-16 1:15 ` Flophouse Joe @ 2006-11-16 9:20 ` Mick 2006-11-16 15:19 ` Nangus Garba 0 siblings, 1 reply; 8+ messages in thread From: Mick @ 2006-11-16 9:20 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 6910 bytes --] On Thursday 16 November 2006 01:15, Flophouse Joe wrote: > On Wed, 15 Nov 2006, Mick wrote: > > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote: > >> On Wed, 15 Nov 2006, Mick wrote: > > > > UPLINK="eth0 wlan0 ppp0" > > for x in ${INTERFACES} > > do > > iptables -A INPUT -i ! ${x} -j ACCEPT > > . . . more rules . . . > > iptables -A INPUT -p tcp -i ${x} -j DROP > > fi > > ===================================================== > > type of think. Not sure if the syntax is correct, but the idea is that > > we define multiple interfaces, but only write the rules once with the > > variable 'x' where the interface is meant to go. > > I'm not 100% certain that I understand the goal, so please let me know > if I've gotten it wrong. It sounds like you want to apply identical > firewall rules to each of three interfaces. It's possible that there > are other interfaces, and if traffic arrives on those interfaces, then > it should not be matched by the rules in the for loop. Yes, it's a laptop so there is no internal/external interface(s) split in terms of trust; well other than "lo". > If this is the case, then yes, the for loop you've suggested should be > perfectly fine. The rules you specify in that loop will only be applied > to traffic which arrives on the interfaces that you loop through. I think that by partly showing my rule set I have confused the point. I should have made it clearer, this is my main set of rules right now: ====================================== UPLINK="eth0" if [ "$1" = "start" ] then echo "Starting firewall..." iptables -P INPUT DROP iptables -A INPUT -i ! ${UPLINK} -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow rsync connections from study1 to update portage iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d 192.168.0.5 -j ACCEPT #Allow tcp connections from study1 to download distfiles iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d 192.168.0.5 -j ACCEPT iptables -A INPUT -p tcp -i ${UPLINK} -j DROP iptables -A INPUT -p udp -i ${UPLINK} -j DROP [snip...] elif [ "$1" = "stop" ] then echo "Stopping firewall..." iptables -F INPUT iptables -P INPUT ACCEPT #turn off NAT/masquerading, if any iptables -t nat -F POSTROUTING fi ====================================== (The ! ${UPLINK} rule is there to catch any external ifaces who might try to spoof their address as localhost.) > >> It's entirely possible that I'm misunderstanding the design of > >> netfilter, but it seems to me that the solution to complicated rulesets > >> is to permit boolean logic in rules like so: > >> > >> iptables -A INPUT \ > >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ > >> -j ACCEPT > > > > Is there a legit way of specifying such rules? > > Not that I'm aware of, but I'd very much like to be proven wrong. Does > anyone else on the list know of a way to specify boolean conditions in > iptables rules as illustrated above? > > For what it's worth, I have found a way to get something that > approximates the ability to use ORs in iptables rules, but it borders on > the criminially insane. I describe it below: [snip...] > As you can see, this method is pretty complicated, too. It's not really > any substitute for "real" boolean logic (as described near the top of > this post). If anyone knows of a way to do this, I'd like to know > about it. me too! Meanwhile, I've changed it to this: ============================================== UPLINK="eth0 wlan0 ppp0" if [ "$1" = "start" ] then echo "Starting firewall..." for x in ${UPLINK} do iptables -P INPUT DROP iptables -A INPUT -i ! ${x} -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow rsync connections from study1 to update portage iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d 192.168.0.5 -j ACCEPT #Allow tcp connections from study1 to download distfiles iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d 192.168.0.5 -j ACCEPT iptables -A INPUT -p tcp -i ${x} -j DROP iptables -A INPUT -p udp -i ${x} -j DROP done ============================================== which seems to do the trick for my simple firewalling needs: ============================================== # iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- !eth0 any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 any study1 192.168.0.5 tcp dpt:rsync 0 0 ACCEPT tcp -- eth0 any study1 192.168.0.5 tcp dpt:1024 0 0 DROP tcp -- eth0 any anywhere anywhere 0 0 DROP udp -- eth0 any anywhere anywhere 0 0 ACCEPT all -- !wlan0 any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- wlan0 any study1 192.168.0.5 tcp dpt:rsync 0 0 ACCEPT tcp -- wlan0 any study1 192.168.0.5 tcp dpt:1024 0 0 DROP tcp -- wlan0 any anywhere anywhere 0 0 DROP udp -- wlan0 any anywhere anywhere 0 0 ACCEPT all -- !ppp0 any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 any study1 192.168.0.5 tcp dpt:rsync 0 0 ACCEPT tcp -- ppp0 any study1 192.168.0.5 tcp dpt:1024 0 0 DROP tcp -- ppp0 any anywhere anywhere 0 0 DROP udp -- ppp0 any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes) pkts bytes target prot opt in out source destination ============================================== Thank you all for your help! :) -- Regards, Mick [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-16 9:20 ` Mick @ 2006-11-16 15:19 ` Nangus Garba 2006-11-16 18:05 ` Mick 0 siblings, 1 reply; 8+ messages in thread From: Nangus Garba @ 2006-11-16 15:19 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 994 bytes --] # I think that a set of rules that looks something like this would be easier to maintain # there are 500 little tricks that I could add if I was home and had my notes iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT #this will take care of all interfaces by default iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # maybe you should just use one interface for portage to connect through such as eth0 # might also be a good plan to use the mac address instead of the ip it is a little harder to spoof #Allow rsync connections from study1 to update portage iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d 192.168.0.5 -j ACCEPT #Allow tcp connections from study1 to download distfiles iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d 192.168.0.5 -j ACCEPT # these rules are kinda taken car of by: iptables -P INPUT DROP # iptables -A INPUT -p tcp -i ${x} -j DROP # iptables -A INPUT -p udp -i ${x} -j DROP [-- Attachment #2: Type: text/html, Size: 1785 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-16 15:19 ` Nangus Garba @ 2006-11-16 18:05 ` Mick 0 siblings, 0 replies; 8+ messages in thread From: Mick @ 2006-11-16 18:05 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1585 bytes --] On Thursday 16 November 2006 15:19, Nangus Garba wrote: > # I think that a set of rules that looks something like this would be > easier to maintain > # there are 500 little tricks that I could add if I was home and had my > notes Hey! Thanks for your help - please send some more when you get home. :) > iptables -P INPUT DROP > iptables -A INPUT -i lo -j ACCEPT The "! $iface" is meant to catch incoming packets on an external iface which have their IP address spoofed to 127.0.0.1 type of thing. Will "lo" achieve the same thing? > #this will take care of all interfaces by default > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # maybe you should just use one interface for portage to connect through > such as eth0 Good point. > # might also be a good plan to use the mac address instead of the ip it is > a little harder to spoof Could I use both in a single rule? > #Allow rsync connections from study1 to update portage > iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d > 192.168.0.5 -j ACCEPT > #Allow tcp connections from study1 to download distfiles > iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d > 192.168.0.5 -j ACCEPT > # these rules are kinda taken car of by: iptables -P INPUT DROP Yes, in their current format they are, but I had previously set them up to REJECT with different messages > # iptables -A INPUT -p tcp -i ${x} -j DROP > # iptables -A INPUT -p udp -i ${x} -j DROP Keep 'em coming! :) -- Regards, Mick [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Help with script for iptables 2006-11-15 20:29 [gentoo-user] Help with script for iptables Mick 2006-11-15 21:25 ` Flophouse Joe @ 2006-11-16 0:26 ` Iain Buchanan 1 sibling, 0 replies; 8+ messages in thread From: Iain Buchanan @ 2006-11-16 0:26 UTC (permalink / raw To: gentoo-user On Wed, 2006-11-15 at 20:29 +0000, Mick wrote: > Hi All, > > I have been using Daniel Robbins' basic script for years but now on a laptop I > have more than one ways of connecting to the Internet. The script uses the > variable UPLINK to define the incoming interface like so: > ============================================== > #change this to the name of the interface that provides your "uplink" > #(connection to the Internet) you could try modifying the script slightly: > UPLINK="eth0" make that UPLINK="eth0 ppp0" # space separated then I was going to say use a for i in x; do ...; done loop, but I realised that won't work exactly, because of the line > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT then something strange would happen. What you're really saying is "for every interface not specified, accept incoming packets". This gets a bit tricky, cause you either have to parse the output of ifconfig (ugly) or specify the interface that are NOT "uplinks" (prone to user error). You could say: UPLINK="eth0 wlan0 ppp0" if [ "$1" = "start" ] then echo "Starting firewall..." iptables -P INPUT DROP for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do for UPIFS in ${UPLINK}; do # if IFS isn't in UPIFS, then accept all trafic on IFS if ... forget that! too ugly. What are you really trying to do? Make all your interface the "uplink", ie. firewalled? In that case, just say this: > UPLINK="who cares?" > > if [ "$1" = "start" ] > then > echo "Starting firewall..." > iptables -P INPUT DROP > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT done! Now everything is firewalled, and only lo is trusted. However, I haven't seen the rest of this script, so I don't know if that will break things. Maybe you want to post back with some more info if that doesn't suit your needs... cya! -- Iain Buchanan <iaindb at netspace dot net dot au> "How many people work here?" "Oh, about half." -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-11-16 19:51 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-11-15 20:29 [gentoo-user] Help with script for iptables Mick 2006-11-15 21:25 ` Flophouse Joe 2006-11-15 23:15 ` Mick 2006-11-16 1:15 ` Flophouse Joe 2006-11-16 9:20 ` Mick 2006-11-16 15:19 ` Nangus Garba 2006-11-16 18:05 ` Mick 2006-11-16 0:26 ` Iain Buchanan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox