Firewall questions

Gabriel Gunderson gabe at gundy.org
Wed Mar 2 11:23:28 MST 2005


On Wed, 2005-03-02 at 11:56 -0500, JStay at mediageneral.com wrote:
> $IPT -t filter -A FORWARD -p tcp --sport 443 -m state --state
> RELATED,ESTABLISHED -j ACCEPT

This might not go to the heart of your question but it might be
helpful...

When using the "--state RELATED, ESTABLISHED"  It is enough to add the
rule once for all traffic coming back that you have allowed out in that
chain.  It should also work for stuff that has been NATed.  That will
help you clean stuff up a bit.

After doing that, just allow out http traffic from the proxy alone.

Lame example:
****************
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED   -j ACCEPT
$IPT -A FORWARD -o $WAN -p tcp --dport 25 -s $MAIL_IP  -j ACCEPT
$IPT -A FORWARD -o $WAN -p tcp --dport 80 -s $PROXY_IP -j ACCEPT
$IPT -A FORWARD -o $WAN -p tcp --dport 8080            -j ACCEPT
$IPT -A FORWARD                                        -j DROP
****************

Without having tested it, that should let only the mail server send mail
out, only the http proxy surf, and a contrived rule that lets anyone
surf on port 8080 (whatever good that is!).  All the returning packet
are allowed by virtue of their relation to the outgoing traffic that you
have allowed.  The statefulness (if that's a word) of iptables is
supposed to cut down on the complexity of the rules while allowing more
control of the traffic.

Hope that helps (and that I understood the question ;)

Gabe




More information about the PLUG mailing list