[Nelug] Re: [general] iptables doing unwanted logging

Richard Mortimer - Volume Systems Products Richard.Mortimer at sun.com
Mon Aug 18 14:25:00 UTC 2003


On Thu, 2003-08-14 at 13:43, James Barton wrote:
> > why do you set the default of FORWARD to ACCEPT by default? That sounds
> > like it opens up the possibility of allowing all sorts through if you
> > get a rule wrong.
> 
> You're right. It was basically the end of my patience. I'd removed or
> secured every application I could find on my internal network, then spent
> time finding out what worked and what didn't in configuring INPUT and
> OUTPUT (with whatever results...), and I simply couldn't be bothered to
> fiddle with the FORWARD rules. I was having more trouble with them than
> with anything else, I was unaware of any danger from external sources, and
> I implicitly trust all the internal machines. But yes, it could be a lot
> more secure.
> 

I just ended up creating a common rule for both INPUT and FORWARD and
directing the two to that rule with a few overrides where I wanted the
behaviour to be different.

> > Side note that the next rule undoes all of the work that you have done
> > in the rule above 'cos it allows everything else through!
> 
> Does it?
> I thought that:
> $IPTABLES -A FORWARD -i $INTERNAL_IF_1 -o $EXTERNAL_IF_1 -j ACCEPT
> 
> would allow connection to the rest of the Internet from any machine
> connecting over eth1. Am I mistaken?
> 

Doh. I should learn to read what you write too! Yes I got your externals
mixed up with the internals. I guess that suggests that the guy who
wrote the template for this i.e. the use of EXTERNAL_ and INTERNAL_
should have chose names that don't look too similar. Anyway what you
have looks fine.


If you are still having problems with your config we could have a play
at the next group meeting. I can bring down a multihomed box or two to
aid this but give me a few days notice if that is needed.

Richard


-- 
Richard Mortimer               |  Email: Richard.Mortimer at sun.com
Sun Microsystems Inc.          |  Phone: +44 (0)1207 585514 (x10614)
Medomsley Road, Consett,       |  Fax:   +44 (0)1207 585592
Co. Durham, DH8 6TJ, UK.       |





More information about the Nelug mailing list