Firewall questions

Gabriel Gunderson gabe at
Wed Mar 2 11:23:28 MST 2005

On Wed, 2005-03-02 at 11:56 -0500, JStay at wrote:
> $IPT -t filter -A FORWARD -p tcp --sport 443 -m state --state

This might not go to the heart of your question but it might be

When using the "--state RELATED, ESTABLISHED"  It is enough to add the
rule once for all traffic coming back that you have allowed out in that
chain.  It should also work for stuff that has been NATed.  That will
help you clean stuff up a bit.

After doing that, just allow out http traffic from the proxy alone.

Lame example:
$IPT -A FORWARD -o $WAN -p tcp --dport 25 -s $MAIL_IP  -j ACCEPT
$IPT -A FORWARD -o $WAN -p tcp --dport 80 -s $PROXY_IP -j ACCEPT
$IPT -A FORWARD -o $WAN -p tcp --dport 8080            -j ACCEPT
$IPT -A FORWARD                                        -j DROP

Without having tested it, that should let only the mail server send mail
out, only the http proxy surf, and a contrived rule that lets anyone
surf on port 8080 (whatever good that is!).  All the returning packet
are allowed by virtue of their relation to the outgoing traffic that you
have allowed.  The statefulness (if that's a word) of iptables is
supposed to cut down on the complexity of the rules while allowing more
control of the traffic.

Hope that helps (and that I understood the question ;)


More information about the PLUG mailing list