[plug] configing iptables

Leon Brooks leon at brooks.fdns.net
Mon Jul 22 12:46:35 WST 2002 

On Mon, 22 Jul 2002 10:30, bob wrote:
> On Mon, 2002-07-22 at 10:08, Leon Brooks wrote:
>> Try http://monmotha.mplug.org/

> Yep, tried that one already. Seems to be broken for debian :(.

What? All it requires is BASH and iptables. How hard is that? Try modprobe-ing 
or insmod-ding the following modules if you don't have the kernel module 
daemon going (this list is from a machine running monmotha and service DNS, 
mail, web):

    ip_tables      (d'oh?)
    ipt_TOS        (monmotha uses for QoSsing)
    ipt_state      (for explicit stateful matches like RELATED,ESTABLISHED)
    ipt_REJECT     (if you REJECT anything instead of DROPping the lot)
    ipt_LOG        (if you care)
    ipt_limit      (monmotha uses for rate limiting/marginal DoS protection)
    ipt_MASQUERADE (may also like ip_conntrack_ftp and ip_conntrack_irc)
    iptable_mangle (for the `mangle' table, monmotha uses that for QoSsing)
    iptable_nat    (required for any kind of NAT/Masq-ing)
    ip_conntrack   (required for anything stateful)
    iptable_filter (for the basic `filter' tables)

Check in /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ for any other 
candidates.

> A lot are broken for debian and a lot can't
> cope with the concept of firewalling ppp0 without ppp0 being up and
> exposed before even talking about it.

Monmotha will use iptables to firewall almost anything you like, up or not, 
including `ppp+' for example.

> iptables -A INPUT -i eth0 -p all -j ACCEPT
> iptables -A OUTPUT -o eth0 -p all -j ACCEPT

> ... bunch of rules about services and ppp0 followed by...

> iptables -A INPUT -p all -s 192.168.0.0/16  -i ppp0 -j DROP
> iptables -A INPUT -i ppp0 DROP

> ie, everything on eth0 is ok, anything arriving on ppp0 purporting to
> be 192.168... is to be dropped as is everything else not already
> covered.

Then also do at least these too:

    0.0.0.0/8
    10.0.0.0/8
    127.0.0.0/8
    172.16.0.0/12

I have a *big* list somewhere.

> Is that ok? or is there a better way of doing what I want.

Yes, use Monmotha. (-: 10-15 answers, one run, all done :-)

Cheers; Leon

More information about the plug mailing list