Hi there, someone who can give me an advice for my firewallscript? Suse Linux 8.1 Kernel 2.4.19 -- in /etc/sysconfig and-so-on all Susefirewall, suseconfigs deleted. Gateway with eth0 = extern, eth1 = intern. I took a book about firewall-design as blueprint and then adpted it to our situation here. the machine should be a router between a private network and the internet. i can do pop, http et.al. with policy set to iptables -P OUTPUT/FORWARD/INPUT ACCEPT with policy set to iptables -P O/F/I DROP nothing works except icmp; no dns, no http, no pop or smtp. I can set the icmp-chain to DROP and then pinging from the gateway is disabled, so the rules basically seems to work well. with iptables -P ACCEPT on all 3 chains everything works fine; but what about security then? i´m a bit confused about that; anyone a suggestion what my fault might be. !!The use of iptables -P .... DROP at the beginning as well as at the end of the script was recommended by the author of the book, Wolfgang Barth!! here´s the entire script: echo ³firewall initialising² # variables iptables="/usr/sbin/iptables" ex="eth0" in="eth1" ns="x.x.x.x" # Default Policy: $iptables -P INPUT DROP $iptables -P FORWARD DROP $iptables -P OUTPUT DROP # flush everything $iptables -F $iptables -t nat -F # NAT $iptables -X # local $iptables -A OUTPUT -o lo -j ACCEPT $iptables -A INPUT -i lo -j ACCEPT # Forwarding and Masquerading $iptables -t nat -A POSTROUTING -o $ex -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward # connections $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -m state --state NEW,INVALID -j DROP # icmp $iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT $iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT # Nameserver $iptables -A FORWARD -i $in -o $ex -m state --state NEW,ESTABLISHED,RELATED -d $ns -j ACCEPT $iptables -A FORWARD -i $ex -o $in -m state --state NEW,ESTABLISHED,RELATED -s $ns -j ACCEPT # HTTP $iptables -A FORWARD -i $in -o $ex -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport http -j ACCEPT # POP und SMTP $iptables -A FORWARD -i $in -o $ex -m state --state ESTABLISHED,RELATED -p TCP --dport http -j ACCEPT $iptables -A FORWARD -i $ex -o $in -m state --state ESTABLISHED,RELATED -p TCP --dport http -j ACCEPT # the remainder: $iptables -A FORWARD -o $ex -j LOG --log-level info --log-prefix out_ $iptables -A FORWARD -i $ex -j LOG --log-level info --log-prefix in_ $iptables -A INPUT -j DROP $iptables -A FORWARD -j DROP $iptables -A OUTPUT -j DROP echo ³firewall up² -- http://www.ruebenschweine.de Try also: http://www.warzenpower.de +++ http://www.lars-und-sandra.de +++ http://www.r100rt.de Diese email wurde automatisch generiert, Sie können deshalb nicht darauf antworten; webmaster@warzenpower.de