[Nelug] Re: [general] iptables doing unwanted logging
Richard Mortimer - Volume Systems Products
Richard.Mortimer at sun.com
Mon Aug 18 14:25:00 UTC 2003
On Thu, 2003-08-14 at 13:43, James Barton wrote:
> > why do you set the default of FORWARD to ACCEPT by default? That sounds
> > like it opens up the possibility of allowing all sorts through if you
> > get a rule wrong.
> You're right. It was basically the end of my patience. I'd removed or
> secured every application I could find on my internal network, then spent
> time finding out what worked and what didn't in configuring INPUT and
> OUTPUT (with whatever results...), and I simply couldn't be bothered to
> fiddle with the FORWARD rules. I was having more trouble with them than
> with anything else, I was unaware of any danger from external sources, and
> I implicitly trust all the internal machines. But yes, it could be a lot
> more secure.
I just ended up creating a common rule for both INPUT and FORWARD and
directing the two to that rule with a few overrides where I wanted the
behaviour to be different.
> > Side note that the next rule undoes all of the work that you have done
> > in the rule above 'cos it allows everything else through!
> Does it?
> I thought that:
> $IPTABLES -A FORWARD -i $INTERNAL_IF_1 -o $EXTERNAL_IF_1 -j ACCEPT
> would allow connection to the rest of the Internet from any machine
> connecting over eth1. Am I mistaken?
Doh. I should learn to read what you write too! Yes I got your externals
mixed up with the internals. I guess that suggests that the guy who
wrote the template for this i.e. the use of EXTERNAL_ and INTERNAL_
should have chose names that don't look too similar. Anyway what you
have looks fine.
If you are still having problems with your config we could have a play
at the next group meeting. I can bring down a multihomed box or two to
aid this but give me a few days notice if that is needed.
Richard Mortimer | Email: Richard.Mortimer at sun.com
Sun Microsystems Inc. | Phone: +44 (0)1207 585514 (x10614)
Medomsley Road, Consett, | Fax: +44 (0)1207 585592
Co. Durham, DH8 6TJ, UK. |
More information about the Nelug