From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-54874-garchives=archives.gentoo.org@gentoo.org>)
	id 1GknGv-000387-2h
	for garchives@archives.gentoo.org; Thu, 16 Nov 2006 19:51:41 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAGJnWZD005908;
	Thu, 16 Nov 2006 19:49:32 GMT
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172])
	by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAGJlP3M025392
	for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 19:47:25 GMT
Received: by ug-out-1314.google.com with SMTP id z38so511900ugc
        for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 11:47:25 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        b=MjSTnfFaril1Imya2ruf6RJMa2LSgEwGR/TrqlilDFB4/forG0LWzlp4h8NVVP146qwiguT+N6rC2DLsYIw01BFpiVWlH/bjN55fVXiCUsIAHqjECS1jyES5+1fRICDJhloENf4kflnWp+R2mhrQXw91DyQEFq9Pk2KA3tMoI9k=
Received: by 10.66.216.20 with SMTP id o20mr856165ugg.1163706444855;
        Thu, 16 Nov 2006 11:47:24 -0800 (PST)
Received: from ?192.168.0.5? ( [213.162.120.196])
        by mx.google.com with ESMTP id x33sm2632632ugc.2006.11.16.11.47.23;
        Thu, 16 Nov 2006 11:47:24 -0800 (PST)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Help with script for iptables
Date: Thu, 16 Nov 2006 18:05:58 +0000
User-Agent: KMail/1.9.5
References: <200611152029.35737.michaelkintzios@gmail.com> <200611160920.45191.michaelkintzios@gmail.com> <5fc5c49d0611160719w7d9a8d69w908a82412be877ea@mail.gmail.com>
In-Reply-To: <5fc5c49d0611160719w7d9a8d69w908a82412be877ea@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart6368175.v5gShl3Se7";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200611161806.11492.michaelkintzios@gmail.com>
X-Archives-Salt: b0064d3c-4f70-46cf-b4ac-a80b280360a6
X-Archives-Hash: cfbed11e230b216a726d1fb5973fec3d

--nextPart6368175.v5gShl3Se7
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 16 November 2006 15:19, Nangus Garba wrote:
> # I think that a set of rules that looks something like this would be
> easier to maintain
> # there are 500 little tricks that I could add if I was home and had my
> notes

Hey! Thanks for your help - please send some more when you get home.  :)

> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT

The "! $iface" is meant to catch incoming packets on an external iface whic=
h=20
have their IP address spoofed to 127.0.0.1 type of thing.  Will "lo" achiev=
e=20
the same thing?

> #this will take care of all interfaces by default
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # maybe you should just use one interface for portage to connect through
> such as eth0

Good point.

> # might also be a good plan to use the mac address instead of the ip it is
> a little harder to spoof

Could I use both in a single rule?

> #Allow rsync connections from study1 to update portage
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
> 192.168.0.5 -j ACCEPT
> #Allow tcp connections from study1 to download distfiles
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
> 192.168.0.5 -j ACCEPT
> #      these rules are kinda taken car of by: iptables -P INPUT DROP

Yes, in their current format they are, but I had previously set them up to=
=20
REJECT with different messages

> #       iptables -A INPUT -p tcp -i ${x} -j DROP
> #        iptables -A INPUT -p udp -i ${x} -j DROP

Keep 'em coming!  :)
=2D-=20
Regards,
Mick

--nextPart6368175.v5gShl3Se7
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFXKiT5Fp0QerLYPcRAq2ZAJ9HEumI+hLVU8dHjz1v+g87zpR+XQCcD4dZ
yRPfGYAcbvQuZNnJ1zMHEvg=
=A6/O
-----END PGP SIGNATURE-----

--nextPart6368175.v5gShl3Se7--
-- 
gentoo-user@gentoo.org mailing list