Re: IPChains rules

[Tobias Diedrich <ranma@example.com>]

Stephen J. Turnbull wrote:

>     Tobias> iptables also has the advantage of being a "stateful"
>     Tobias> packet-filter, which can make the rules much simpler (in
>     Tobias> case of a firewall you might basically just say "allow all
>     Tobias> traffic from lan to the outside and allow only known
>     Tobias> existing incoming connections")
>
> This kind of thing can be done with ipchains, too.  It's just (AFAIK)
> that iptables has more convenient operators for doing what you want.

AFAIK No. At least not the "Allow only known existing incoming
connections" part. You need to know the State of the Connection for that.

As an example my iptables rules simplified look like this:

(for ppp0, all traffic is allowed on eth* network interfaces [lan])

iptables -P INPUT DENY
iptables -P OUTPUT DENY
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state RELATED -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT

The last rule obviously allows all outgoing traffic.
Incoming traffic is only allowed for packets with "ESTABLISHED"
or "RELATED" state.

That's it.

Works for ping, traceroute, http, ftp.
I have two additional accepts for dns-server answers.
Plus a bit special handling so my log files won't show ping and netbios
connection attempts.
And some other special handling for incoming http, ssh and smtp
connections, where the last two are allowed only from the university
network.

If anyone is interested I could post my complete filtering rules.

-- Tobias