From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-54850-garchives=archives.gentoo.org@gentoo.org>)
	id 1GkjAn-0001Td-PB
	for garchives@archives.gentoo.org; Thu, 16 Nov 2006 15:29:06 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAGFONLA031681;
	Thu, 16 Nov 2006 15:24:23 GMT
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190])
	by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAGFJfH0001004
	for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 15:19:42 GMT
Received: by nf-out-0910.google.com with SMTP id c31so1776210nfb
        for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 07:19:41 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=hSR1WAVWlTVClxdFiX/ViZBoQ32A7/k1nu3bLonpPt0WrsqOBTj/tLwSUWyXz688DFhaz2Gyf7RVXYOEQeNJrHoWPy+z3wufpcBV5YMuRqr3L6LE7mC2aKfWlFALGKemb3hPdlO4HCN87I+a7G9ni6+BOof+Se0jRD/Rs5pCROc=
Received: by 10.82.164.9 with SMTP id m9mr79388bue.1163690380532;
        Thu, 16 Nov 2006 07:19:40 -0800 (PST)
Received: by 10.82.108.17 with HTTP; Thu, 16 Nov 2006 07:19:40 -0800 (PST)
Message-ID: <5fc5c49d0611160719w7d9a8d69w908a82412be877ea@mail.gmail.com>
Date: Thu, 16 Nov 2006 10:19:40 -0500
From: "Nangus Garba" <code.affe.dev@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Help with script for iptables
In-Reply-To: <200611160920.45191.michaelkintzios@gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_73041_15895802.1163690380157"
References: <200611152029.35737.michaelkintzios@gmail.com>
	 <200611152315.17728.michaelkintzios@gmail.com>
	 <Pine.LNX.4.64.0611151912060.31856@becky16.halibutdepot.org>
	 <200611160920.45191.michaelkintzios@gmail.com>
X-Archives-Salt: 5ece2294-d1e0-4126-aec6-0339cedd1b29
X-Archives-Hash: 6db449d0051e96ee4e1c0c6f3b201958

------=_Part_73041_15895802.1163690380157
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# I think that a set of rules that looks something like this would be easier
to maintain
# there are 500 little tricks that I could add if I was home and had my
notes

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT

#this will take care of all interfaces by default
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# maybe you should just use one interface for portage to connect through
such as eth0
# might also be a good plan to use the mac address instead of the ip it is a
little harder to spoof

#Allow rsync connections from study1 to update portage
iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
192.168.0.5 -j ACCEPT
#      these rules are kinda taken car of by: iptables -P INPUT DROP
#       iptables -A INPUT -p tcp -i ${x} -j DROP
#        iptables -A INPUT -p udp -i ${x} -j DROP

------=_Part_73041_15895802.1163690380157
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# I think that a set of rules that looks something like this would be easier to maintain<br># there are 500 little tricks that I could add if I was home and had my notes<br><br><div style="direction: ltr;">iptables -P INPUT DROP
<br></div><div style="direction: ltr;"><span class="q">iptables -A INPUT -i lo -j ACCEPT<br><br>#this will take care of all interfaces by default<br></span></div><div style="direction: ltr;"><span class="q">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<br><br></span>
# maybe you should just use one interface for portage to connect through such as eth0<br># might also be a good plan to use the mac address instead of the ip it is a little harder to spoof<br><br></div><div style="direction: ltr;">
#Allow rsync connections from study1 to update portage<br>iptables -A INPUT -i eth0 -p tcp -s <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.0.2/" target="_blank">192.168.0.2</a> -m tcp --dport 873 -d 
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.0.5/" target="_blank">192.168.0.5</a> -j ACCEPT<br>#Allow tcp connections from study1 to download distfiles<br>iptables -A INPUT -i eth0 -p tcp -s 
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.0.2/" target="_blank">192.168.0.2</a> -m tcp --dport 1024 -d <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.0.5/" target="_blank">
192.168.0.5</a> -j ACCEPT<br>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; these rules are kinda taken car of by: iptables -P INPUT DROP</div><div style="direction: ltr;"><span class="q">#&nbsp; &nbsp; &nbsp;&nbsp; iptables -A INPUT -p tcp -i ${x} -j DROP<br></span></div># &nbsp; &nbsp; &nbsp;&nbsp; iptables -A INPUT -p udp -i ${x} -j DROP
<br>

------=_Part_73041_15895802.1163690380157--
-- 
gentoo-user@gentoo.org mailing list