[LUAU] help with iptables
Whoever Whatever
totally.lost at gmail.com
Mon Oct 15 18:59:37 PDT 2007
Found my problem, added rules to the NAT's PREROUTING chain were able
to block traffics to my local network, but still allow for all ports
to the internet. Took a while to read the iptables manpage and read
the INPUT, FORWARD, OUTPUT and NAT chain document.
Thanks for the comment and help.
On 10/14/07, Eric Hattemer <hattenator at imapmail.org> wrote:
> Eric Hattemer wrote:
> > Whoever Whatever wrote:
> >
> >> Hi,
> >> when I have a linux box with two NICs, one $EXTIF (external) and
> >> one $INTIF (subnet=192.168.176.0/20). With ip masq turn on:
> >> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >>
> >> how do I block $INTIF(192.168.176/20) from accessing ports(ie: 80) on
> >> the linux box(192.168.176.1), but still allow port 80 access using ip
> >> masq to the outside world?
> >>
> >> I tried the filters below, but I still can access port 80 after
> >> applying the rules:
> >> iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 80 --syn -j DROP
> >> iptables -A FORWARD -i $INTIF -p tcp -m tcp --dport 80 --syn -j DROP
> >> iptables -A INPUT -p tcp -s 192.168.176.0/20 -d 192.168.176.1 --dport 80 -j DROP
> >>
> >> anyone know if it's possible?
> >>
> >>
> >
> > I don't know any iptables, because I've never had to. Maybe someone on
> > the list will answer your question, but in the meantime, I strongly
> > suggest a program called fwbuilder. You drag your rules around, and
> > when you're done, you can auto-generate scripts for every major
> > routing/firewall language you can think of.
> >
> But if you do have a pretty good idea of what you're doing and want to
> debug it, Phil Dibowitz wrote a nice program called IPTState at
> http://www.phildev.net/iptstate/ that shows you what iptables is up to
> in realtime. It's of wide enough acclaim that you can probably find it
> in your local package management tool.
>
> -Eric Hattemer
>
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
>
More information about the LUAU
mailing list