Hello everyone,
I'm attempting to set up a firewall that follows the "deny everything, except
what I specify" line of thinking. The specific issue I am working on now
involves the FORWARD chain. I have set the default policy like this:
iptables -P FORWARD DROP
I then specifically DROP some items (ie, packets coming from the Internet
with a source address of 192.168.0.0/16) Then, to allow me to browse Web
pages, I put in 4 lines:
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p udp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -p udp --sport 80 -j ACCEPT
This works, and I have done the same for POP and SMTP. However, I am sure
there is a cleaner way to do it. I tried using the --port argument, but got error:
unkown arg '--port'
The --port argument is described in the man pages, as being part of a
"multiport" module. Does this refer to an actual module that needs to be
compiled into the kernel? And will it simplify the above rules to just 2
lines, one for tcp and one for udp?
Once I get this forward chain working, I'm gonna begin work on the nat table,
so let me know if you get tired of iptables questions :) Thanks,
Doug
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:12 EDT