Firewall - Checking the Input, Output, and Forwarding Rules
1 view
Skip to first unread message
elsiddik
Jan 16, 2008, 2:36:29 PM1/16/08
to unix
Checking the Input, Output, and Forwarding Rules
Now that you've seen what a firewall chain listing looks like and what
formatting options are available, we'll go through brief lists of
INPUT, OUT, and FORWARD rules. The sample rules are representative of
some of the rules you'll most likely use yourself.
Checking the Input Rules
Your input rules are mostly ACCEPT rules when the default policy is
DROP. Everything is denied, by default, and you explicitly define what
will be accepted. Remember that packets arriving on the INPUT chain
are targeted to the local host. The following example contains a
representative sample of input acceptance rules:
> iptables -v -L INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 4 390 ACCEPT all -- lo any anywhere
\
anywhere
2 59 2599 ACCEPT all -- any any anywhere
\
anywhere state RELATED,ESTABLISHED
3 0 0 DROP all -- !lo any choke.dmz.lan
\
anywhere
4 0 0 DROP all -- !lo any router.private.lan
\
anywhere
5 0 0 DROP all -- eth0 any ! .private.lan
\
anywhere
6 0 0 ACCEPT udp -- eth0 any .private.lan \
router.private.lan udp spt:1024:65535 dpt:domain state NEW
7 0 0 REJECT tcp -- eth1 any anywhere \
choke.dmz.lan tcp spts:1024:65535 dpt:auth state NEW
8 0 0 ACCEPT udp -- eth0 any jet.private.lan \
255.255.255.255 udp spt:ntp dpt:ntp state NEW
9 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:FIN,ACK/FIN,ACK
10 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for incoming packets is DROP. Denied packets are
simply dropped without any notification being returned to the source
address. There are 10 rules on the chain:
*
Line 1 All packets arriving on the loopback interface are
accepted.
*
Line 2 All incoming packets identified as part of a previously
accepted connection or exchange, or a packet related to one, are
accepted.
*
Line 3 Any packet arriving on any interface except the loopback
interface that claims to be from this machine's external DMZ network
interface is dropped.
*
Line 4 Any packet arriving on any interface except the loopback
interface that claims to be from this machine's internal private LAN
network interface is dropped.
*
Line 5 Any packet arriving on the internal private LAN interface
that claims to be from a source address other than an address within
the internal private LAN network is dropped.
*
Line 6 UDP DNS client requests from hosts in the private LAN are
accepted.
*
Line 7 All incoming TCP packets destined for the local identd
server at AUTH service port 113 are rejected. An ICMP error
notification Type 3, Service Unavailable, will be returned to the
source address.
*
Line 8 Limited broadcasts from the local printer to the UDP ntp
time server port 123 are accepted.
*
Line 9 FIN/ACK packets from anywhere are accepted.
*
Line 10 All other incoming packets are logged before being
dropped by the default policy.
Checking the Output Rules
Your output rules are mostly ACCEPT rules when the default policy is
DROP. Everything is blocked, by default. You explicitly define what
will be accepted. The following example contains a representative
sample of output acceptance rules:
> iptables -L OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 34 3558 ACCEPT all -- any lo anywhere
\
anywhere
2 92 12721 ACCEPT all -- any any anywhere \
anywhere state RELATED,ESTABLISHED
3 1 82 ACCEPT udp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan udp spt:domain dpt:domain state NEW
4 0 0 ACCEPT udp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan udp spts:1024:65535 dpt:domain state NEW
5 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan tcp spts:1024:65535 dpt:domain state NEW
6 2 120 ACCEPT tcp -- any eth0 router.private.lan \
.private.lan multiport dports ssh,http,https,auth,ftp
\
tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW
7 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
.dmz.lan tcp spts:1024:65535 dpt:ssh state NEW
8 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
anywhere multiport dports http,https,auth,ftp,nicname
\
tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW
9 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
mail.dmz.lan tcp spts:1024:65535 dpt:smtp state NEW
10 0 0 ACCEPT udp -- any eth1 choke.dmz.lan
\
timeserver.edu udp spts:1024:65535 dpt:ntp state NEW
11 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
anywhere icmp fragmentation-needed
12 0 0 ACCEPT icmp -- any eth0 router.private.lan
\
.private.lan icmp echo-request
13 0 0 ACCEPT icmp -- any eth0 router.private.lan
\
.private.lan icmp echo-reply
14 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
.dmz.lan icmp echo-request
15 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
firewall.dmz.lan icmp echo-reply
16 0 0 ACCEPT tcp -- any eth0 router.private.lan
\
jet.private.lan tcp dpt:printer state NEW
17 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:RST/RST
18 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for the OUTPUT chain is DROP. Denied packets are
simply dropped without any notification being returned to the local
program. There are 18 rules on the chain:
*
Line 1 Any packet going out the loopback interface is allowed.
*
Line 2 Any packet that is recognized as being part of a
previously ESTABLISHED connection or exchange, or a packet that is
RELATED to one, is allowed.
*
Line 3 Local DNS requests that are forwarded to the local name
server in the DMZ, server to server, are allowed.
*
Line 4 Local DNS client requests over UDP to the local name
server in the DMZ are allowed.
*
Line 5 Local DNS client requests over TCP to the local name
server in the DMZ are allowed.
*
Line 6 The local host, the LAN router, is allowed for
established connections to local SSH, HTTP, HTTPS, auth, and FTP
servers in the private LAN.
*
Line 7 The local host, the choke firewall, is allowed for
established connections to local SSH servers in the DMZ.
*
Line 8 The local host, the choke firewall, is allowed for
established connections to SSH, HTTP, HTTPS, auth, and FTP servers
anywhere.
*
Line 9 The local host, the choke firewall, is allowed to send
mail to the mail gateway in the DMZ.
*
Line 10 The local host, the choke firewall, is allowed to send
client ntp time requests to a specific remote server.
*
Line 11 The local host, the choke firewall, is allowed to send
ICMP Type 3 fragmentation-needed messages anywhere as part of MTU size
discovery.
*
Line 12 The local host, the LAN router, is allowed to send ICMP
ping requests to hosts in the private LAN.
*
Line 13 The local host, the LAN router, is allowed to send ICMP
ping responses to hosts in the private LAN.
*
Line 14 The local host, the choke firewall, is allowed to send
ICMP ping requests to hosts in the DMZ.
*
Line 15 The local host, the choke firewall, is allowed to send
ICMP ping responses to the public firewall between the DMZ and the
Internet.
*
Line 16 The local host, the LAN router, is allowed to access the
networked printer in the private LAN.
*
Line 17 The local host is allowed to send TCP RST messages
anywhere.
*
Line 18 All other outgoing packets are logged before being
dropped by the default policy.
Checking the Forwarding Rules
The forwarding rules apply to packets passing or being routed through
the machine. Forwarded packets are inspected only by the rules defined
for the FORWARD chain. These packets are not inspected against rules
on the INPUT or OUTPUT chains. If the packet's destination address is
something other than the address of the interface on which the packet
arrived, the packet is inspected by the FORWARD chain. If the packet
matches a FORWARD acceptance rule, the packet is sent out the
appropriate interface, after being inspected by any rules defined for
the POSTROUTING chains.
For the purposes of illustration, the firewall rule pair shown next
forwards all TCP connections from the internal network. UDP traffic is
not routed. Related ICMP traffic is routed:
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \
-s $INTERNAL_LAN_ADDRESSES -m state --state NEW -j ACCEPT
This section is based on a representative sample of forwarding rules.
The INPUT and OUTPUT rules are mostly ACCEPT rules when the default
policy is DROP. Everything is denied, by default, and you explicitly
define what will be accepted:
> iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 67 6050 ACCEPT all -- any any anywhere \
anywhere state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- eth1 eth0 selected.remote.host \
host1.private.lan tcp spts:1024:65535 dpt:ssh
\
flags:SYN,RST,ACK/SYN state NEW
3 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \
mailserver.dmz.lan multiport dports smtp,pop3 tcp spts:
1024:65535 \
flags:SYN,RST,ACK/SYN state NEW
4 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \
web-proxy.dmz.lan multiport dports http,https tcp spts:
1024:65535 \
flags:SYN,RST,ACK/SYN state NEW
5 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \
anywhere tcp spts:1024:65535 dpts:ssh
\
flags:SYN,RST,ACK/SYN state NEW
6 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \
news-server.net tcp spts:1024:65535 dpt:nntp
\
flags:SYN,RST,ACK/SYN state NEW
7 0 0 REJECT tcp -- eth1 any anywhere \
.private.lan tcp spts:1024:65535 dpt:auth
\
reject-with icmp-port-unreachable
8 0 0 ACCEPT icmp -- any any anywhere \
anywhere icmp fragmentation-needed
9 2 168 ACCEPT icmp -- eth0 eth1 .private.lan \
anywhere icmp echo-request
10 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:FIN,ACK/FIN,ACK
11 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:RST/RST
12 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for the FORWARD chain is DROP. Denied packets are
simply dropped without any notification being returned to either the
local or the remote program. There are 12 rules on the chain:
*
Line 1 Any packet recognized as being part of a previously
ESTABLISHED connection or exchange, or a packet that is RELATED to
one, is allowed in either direction.
*
Line 2 Incoming SSH connections from a particular remote host to
host1 in the private LAN are allowed.
*
Line 3 Outgoing client connections to the mail gateway and pop
server in the DMZ are allowed.
*
Line 4 Outgoing client connections, both HTTP and HTTPS, are
allowed to the web proxy in the DMZ.
*
Line 5 Outgoing client connections to remote SSH servers
anywhere are allowed.
*
Line 6 Outgoing client connections to a specific remote news
server are allowed.
*
Line 7 Incoming auth requests to local identd servers are
rejected.
*
Line 8 ICMP Type 3 fragmentation-needed messages are allowed in
both directions as part of MTU size discovery.
*
Line 9 Outgoing ping ICMP echo-requests are allowed to anywhere.
*
Line 10 FIN/ACK packets are accepted in either direction.
*
Line 11 TCP RST packets are accepted in either direction.
*
Line 12 All other packets in either direction are logged before
being dropped by the default policy.
In this case, the -v option is generally helpful to see the incoming
and outgoing network interface names. eth0 is the internal interface
to the .private.lan network. etH1 is the external interface to
the .dmz.lan and the Internet beyond. Remember that FORWARD rules are
necessary with or without NAT. Also remember that any NAT rules are
defined in the nat table. These rules are defined in the default
filter table.
zaher el siddik
this article can be found at :
http://eduunix.ccut.edu.cn/index/html/linux/Novell.Press.Linux.Firewalls.3rd.Edition.Sep.2005/0672327716/ch08lev1sec3.html
Now that you've seen what a firewall chain listing looks like and what
formatting options are available, we'll go through brief lists of
INPUT, OUT, and FORWARD rules. The sample rules are representative of
some of the rules you'll most likely use yourself.
Checking the Input Rules
Your input rules are mostly ACCEPT rules when the default policy is
DROP. Everything is denied, by default, and you explicitly define what
will be accepted. Remember that packets arriving on the INPUT chain
are targeted to the local host. The following example contains a
representative sample of input acceptance rules:
> iptables -v -L INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 4 390 ACCEPT all -- lo any anywhere
\
anywhere
2 59 2599 ACCEPT all -- any any anywhere
\
anywhere state RELATED,ESTABLISHED
3 0 0 DROP all -- !lo any choke.dmz.lan
\
anywhere
4 0 0 DROP all -- !lo any router.private.lan
\
anywhere
5 0 0 DROP all -- eth0 any ! .private.lan
\
anywhere
6 0 0 ACCEPT udp -- eth0 any .private.lan \
router.private.lan udp spt:1024:65535 dpt:domain state NEW
7 0 0 REJECT tcp -- eth1 any anywhere \
choke.dmz.lan tcp spts:1024:65535 dpt:auth state NEW
8 0 0 ACCEPT udp -- eth0 any jet.private.lan \
255.255.255.255 udp spt:ntp dpt:ntp state NEW
9 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:FIN,ACK/FIN,ACK
10 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for incoming packets is DROP. Denied packets are
simply dropped without any notification being returned to the source
address. There are 10 rules on the chain:
*
Line 1 All packets arriving on the loopback interface are
accepted.
*
Line 2 All incoming packets identified as part of a previously
accepted connection or exchange, or a packet related to one, are
accepted.
*
Line 3 Any packet arriving on any interface except the loopback
interface that claims to be from this machine's external DMZ network
interface is dropped.
*
Line 4 Any packet arriving on any interface except the loopback
interface that claims to be from this machine's internal private LAN
network interface is dropped.
*
Line 5 Any packet arriving on the internal private LAN interface
that claims to be from a source address other than an address within
the internal private LAN network is dropped.
*
Line 6 UDP DNS client requests from hosts in the private LAN are
accepted.
*
Line 7 All incoming TCP packets destined for the local identd
server at AUTH service port 113 are rejected. An ICMP error
notification Type 3, Service Unavailable, will be returned to the
source address.
*
Line 8 Limited broadcasts from the local printer to the UDP ntp
time server port 123 are accepted.
*
Line 9 FIN/ACK packets from anywhere are accepted.
*
Line 10 All other incoming packets are logged before being
dropped by the default policy.
Checking the Output Rules
Your output rules are mostly ACCEPT rules when the default policy is
DROP. Everything is blocked, by default. You explicitly define what
will be accepted. The following example contains a representative
sample of output acceptance rules:
> iptables -L OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 34 3558 ACCEPT all -- any lo anywhere
\
anywhere
2 92 12721 ACCEPT all -- any any anywhere \
anywhere state RELATED,ESTABLISHED
3 1 82 ACCEPT udp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan udp spt:domain dpt:domain state NEW
4 0 0 ACCEPT udp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan udp spts:1024:65535 dpt:domain state NEW
5 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
nameserver.dmz.lan tcp spts:1024:65535 dpt:domain state NEW
6 2 120 ACCEPT tcp -- any eth0 router.private.lan \
.private.lan multiport dports ssh,http,https,auth,ftp
\
tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW
7 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
.dmz.lan tcp spts:1024:65535 dpt:ssh state NEW
8 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
anywhere multiport dports http,https,auth,ftp,nicname
\
tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW
9 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \
mail.dmz.lan tcp spts:1024:65535 dpt:smtp state NEW
10 0 0 ACCEPT udp -- any eth1 choke.dmz.lan
\
timeserver.edu udp spts:1024:65535 dpt:ntp state NEW
11 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
anywhere icmp fragmentation-needed
12 0 0 ACCEPT icmp -- any eth0 router.private.lan
\
.private.lan icmp echo-request
13 0 0 ACCEPT icmp -- any eth0 router.private.lan
\
.private.lan icmp echo-reply
14 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
.dmz.lan icmp echo-request
15 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan
\
firewall.dmz.lan icmp echo-reply
16 0 0 ACCEPT tcp -- any eth0 router.private.lan
\
jet.private.lan tcp dpt:printer state NEW
17 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:RST/RST
18 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for the OUTPUT chain is DROP. Denied packets are
simply dropped without any notification being returned to the local
program. There are 18 rules on the chain:
*
Line 1 Any packet going out the loopback interface is allowed.
*
Line 2 Any packet that is recognized as being part of a
previously ESTABLISHED connection or exchange, or a packet that is
RELATED to one, is allowed.
*
Line 3 Local DNS requests that are forwarded to the local name
server in the DMZ, server to server, are allowed.
*
Line 4 Local DNS client requests over UDP to the local name
server in the DMZ are allowed.
*
Line 5 Local DNS client requests over TCP to the local name
server in the DMZ are allowed.
*
Line 6 The local host, the LAN router, is allowed for
established connections to local SSH, HTTP, HTTPS, auth, and FTP
servers in the private LAN.
*
Line 7 The local host, the choke firewall, is allowed for
established connections to local SSH servers in the DMZ.
*
Line 8 The local host, the choke firewall, is allowed for
established connections to SSH, HTTP, HTTPS, auth, and FTP servers
anywhere.
*
Line 9 The local host, the choke firewall, is allowed to send
mail to the mail gateway in the DMZ.
*
Line 10 The local host, the choke firewall, is allowed to send
client ntp time requests to a specific remote server.
*
Line 11 The local host, the choke firewall, is allowed to send
ICMP Type 3 fragmentation-needed messages anywhere as part of MTU size
discovery.
*
Line 12 The local host, the LAN router, is allowed to send ICMP
ping requests to hosts in the private LAN.
*
Line 13 The local host, the LAN router, is allowed to send ICMP
ping responses to hosts in the private LAN.
*
Line 14 The local host, the choke firewall, is allowed to send
ICMP ping requests to hosts in the DMZ.
*
Line 15 The local host, the choke firewall, is allowed to send
ICMP ping responses to the public firewall between the DMZ and the
Internet.
*
Line 16 The local host, the LAN router, is allowed to access the
networked printer in the private LAN.
*
Line 17 The local host is allowed to send TCP RST messages
anywhere.
*
Line 18 All other outgoing packets are logged before being
dropped by the default policy.
Checking the Forwarding Rules
The forwarding rules apply to packets passing or being routed through
the machine. Forwarded packets are inspected only by the rules defined
for the FORWARD chain. These packets are not inspected against rules
on the INPUT or OUTPUT chains. If the packet's destination address is
something other than the address of the interface on which the packet
arrived, the packet is inspected by the FORWARD chain. If the packet
matches a FORWARD acceptance rule, the packet is sent out the
appropriate interface, after being inspected by any rules defined for
the POSTROUTING chains.
For the purposes of illustration, the firewall rule pair shown next
forwards all TCP connections from the internal network. UDP traffic is
not routed. Related ICMP traffic is routed:
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \
-s $INTERNAL_LAN_ADDRESSES -m state --state NEW -j ACCEPT
This section is based on a representative sample of forwarding rules.
The INPUT and OUTPUT rules are mostly ACCEPT rules when the default
policy is DROP. Everything is denied, by default, and you explicitly
define what will be accepted:
> iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
\
destination
1 67 6050 ACCEPT all -- any any anywhere \
anywhere state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- eth1 eth0 selected.remote.host \
host1.private.lan tcp spts:1024:65535 dpt:ssh
\
flags:SYN,RST,ACK/SYN state NEW
3 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \
mailserver.dmz.lan multiport dports smtp,pop3 tcp spts:
1024:65535 \
flags:SYN,RST,ACK/SYN state NEW
4 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \
web-proxy.dmz.lan multiport dports http,https tcp spts:
1024:65535 \
flags:SYN,RST,ACK/SYN state NEW
5 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \
anywhere tcp spts:1024:65535 dpts:ssh
\
flags:SYN,RST,ACK/SYN state NEW
6 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \
news-server.net tcp spts:1024:65535 dpt:nntp
\
flags:SYN,RST,ACK/SYN state NEW
7 0 0 REJECT tcp -- eth1 any anywhere \
.private.lan tcp spts:1024:65535 dpt:auth
\
reject-with icmp-port-unreachable
8 0 0 ACCEPT icmp -- any any anywhere \
anywhere icmp fragmentation-needed
9 2 168 ACCEPT icmp -- eth0 eth1 .private.lan \
anywhere icmp echo-request
10 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:FIN,ACK/FIN,ACK
11 0 0 ACCEPT tcp -- any any anywhere
\
anywhere tcp flags:RST/RST
12 0 0 LOG all -- any any anywhere
\
anywhere LOG level warning
The default policy for the FORWARD chain is DROP. Denied packets are
simply dropped without any notification being returned to either the
local or the remote program. There are 12 rules on the chain:
*
Line 1 Any packet recognized as being part of a previously
ESTABLISHED connection or exchange, or a packet that is RELATED to
one, is allowed in either direction.
*
Line 2 Incoming SSH connections from a particular remote host to
host1 in the private LAN are allowed.
*
Line 3 Outgoing client connections to the mail gateway and pop
server in the DMZ are allowed.
*
Line 4 Outgoing client connections, both HTTP and HTTPS, are
allowed to the web proxy in the DMZ.
*
Line 5 Outgoing client connections to remote SSH servers
anywhere are allowed.
*
Line 6 Outgoing client connections to a specific remote news
server are allowed.
*
Line 7 Incoming auth requests to local identd servers are
rejected.
*
Line 8 ICMP Type 3 fragmentation-needed messages are allowed in
both directions as part of MTU size discovery.
*
Line 9 Outgoing ping ICMP echo-requests are allowed to anywhere.
*
Line 10 FIN/ACK packets are accepted in either direction.
*
Line 11 TCP RST packets are accepted in either direction.
*
Line 12 All other packets in either direction are logged before
being dropped by the default policy.
In this case, the -v option is generally helpful to see the incoming
and outgoing network interface names. eth0 is the internal interface
to the .private.lan network. etH1 is the external interface to
the .dmz.lan and the Internet beyond. Remember that FORWARD rules are
necessary with or without NAT. Also remember that any NAT rules are
defined in the nat table. These rules are defined in the default
filter table.
zaher el siddik
this article can be found at :
http://eduunix.ccut.edu.cn/index/html/linux/Novell.Press.Linux.Firewalls.3rd.Edition.Sep.2005/0672327716/ch08lev1sec3.html
Reply all
Reply to author
Forward
0 new messages