Changes between Initial Version and Version 1 of IPtablesRules

Show
Ignore:
Timestamp:
09/03/07 20:58:07 (3 years ago)
Author:
victor (IP: 192.168.0.101)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • IPtablesRules

    v1 v1  
     1= IPtables Rules = 
     2 
     3The rules created by Vuurmuur can be shown by running the vuurmuur command with the bash output option (-b). 
     4 
     5=== Output rule === 
     6 
     7A normal output rule with logging enabled. The first line is the logging line, the second accepts the traffic. For an output rule select firewall as the source of the rule. 
     8{{{ 
     9Accept service http from firewall to world.inet options log,logprefix="http out" 
     10/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --syn -s 1.2.3.4/255.255.255.255 --sport 1024:65535 -d 0.0.0.0/0.0.0.0 --dport 80 -m state --state NEW -j LOG --log-prefix "vrmr: ACCEPT http out " 
     11/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --syn -s 1.2.3.4/255.255.255.255 --sport 1024:65535 -d 0.0.0.0/0.0.0.0 --dport 80 -m state --state NEW -j ACCEPT 
     12}}} 
     13 
     14=== Input rule === 
     15 
     16For an input rule, select the firewall as destination. Also shown here is the rule limit. This rule will match only one time per second on avarage, with a burst of 2. 
     17{{{ 
     18Accept service ssh from world.inet to firewall options log,logprefix="ssh in",limit="1",burst="2" 
     19/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 22 -m limit --limit 1/s --limit-burst 2 -m state --state NEW -j LOG --log-prefix "vrmr: ACCEPT ssh in " 
     20/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 22 -m limit --limit 1/s --limit-burst 2 -m state --state NEW -j ACCEPT 
     21}}} 
     22 
     23=== Firewall vs. Firewall(any) === 
     24 
     25Here we see a simple example of an incoming ftp rule. In the case of 'firewall' the ipaddress of the interface attached to the network 'world.inet' is used. In the case of 'firewall(any)', no filtering on the firewall's ipaddress is done. This can be useful if you want to be able to ftp to the other interfaces of the firewall as well. 
     26{{{ 
     27Accept service ftp from world.inet to firewall 
     28/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 21 -m state --state NEW -j ACCEPT 
     29}}} 
     30{{{ 
     31Accept service ftp from world.inet to firewall(any) 
     32/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT 
     33}}}