![](https://seccdn.libravatar.org/avatar/d410d4302618d6fdc3fc51ea15f968ce.jpg?s=120&d=mm&r=g)
Hi all, I want to set up a firewall to secure my private network. This network includes about 5-6 computers running linux and windows os. I decided to use netfilter (iptables) with the new 2.4.2 kernel which I compiled on my pentium today. Now I have a question about the new iptables and the connection tracking module: I want to set a default policy for all chains (at first INPUT,OUTPUT and FORWARD) to DENY. Now for example I want to allow a ssh connection from the internet to my firewall. (I want the firewall to be the gate to my local linux computers. I mean, if anyone wants to ssh to my private computers, he only can get a connection if he first connects to the firewall, and then connect to the target computer in my network.) Is this a good idea ? So I don't have to allow ssh to any of my computers in the local net. Only to the firewall! What do you think about this? Now the problem: If I use connection tracking for ssh. iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT In this rule I would accept all connections coming from internet to my firewall at port 22 and all packets in relation with this connect. Right?! Should I now add a rule to the OUTPUT chain too, or is any outgoing connection in relation with the ssh rule INPUT above accepted now? thanks for your help, Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc