[Tfug] iptables

[Chris Hilton]

On Sun, 21 Jul 2002 09:42:39 -0700
"Paul Scott" <waterhorse@ultrasw.com> wrote:

> Chris Hilton wrote:
> > On Fri, 19 Jul 2002 20:31:01 -0700
> > "Paul Scott" <waterhorse@ultrasw.com> wrote:
> > 
> > 
> >>Paul Scott wrote:
> >>
> >>>Harry McGregor wrote:
> >>>
> >>I presume the module stuff is not a problem.  I do have iptables
> >(and >debugging) built into the kernel.
> >>
> >>Just to save you the trouble the lines producing the no match are:
> >>
> >>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \ 
> >>ESTABLISHED,RELATED -j ACCEPT
> >>$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> >>$IPTABLES -A FORWARD -j LOG
> >>
> > 
> > Try each of the lines at the command line.  Which one bails out?
> 
> The first one:
> 
> After a lot of reading and searching I found this;
> 
> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html#toc5
> 
> which said what you said and mentioned some modules which when I
> didn't have them I rechecked my kernel configuration and realized that
> there were some kernel components whose menuconfig help had said "if
> not sure, say no."  That including one or more for matching.  I just
> built a new kernel and those lines all work now.
> 
> I need to finish reading the above document because everything else I 
> have found doesn't explain iptables well enough for me to feel that I 
> know what to do to have a safe system.
> 
> Thanks much,
> 
> Paul

Checking your kernel config was next : )

Have you looked at something like shorewall, smoothwall, ipcop or
similar?  They will get firewalling/forwarding up and functioning for
you while you study up.  Smoothwall and ipcop are intended for stand
alone firewall/router boxes, shorewall can be used (not the best idea)
on a machine that also serves as a workstation or server.

-C-