Thanks a lot !! This saved me one extra installation and to set in an extra network.
(By the way, you vere right about the -L
This printout is what I believe you can say "a typical" status for a well designed rule set of the new type of Linux firewall that basicly came with the 2.4.x kernel (Actually it could also be obtained to the last revision of the 2.2.x kernel.)
The very big difference between the old and the new type firewall is that the new type firewall basicly contains two separate set of tfirewall rules while the old type of firewall contained only one. In the old type of firewall you validated each of the packets only at one "place" so the trafick to the LAN and the computers on the LAN vere passing trough the same ruleset as the internal prosesses at the firewall machine itself.
AT the netfilter and the 2.4.x consept the trafic vvere first split off in two directions via a set of dnat (destignation nat) before it vere filtered). Then it is filtered trough two compeltely different ruleset, one filtering the trafick to the firewall machine itself and one filtering the trafic to the LAN.
The status listed above should normally be the status for the ruleset filtering the trafick to the firewall machine only. (iptables -L) If you want the other main ruleset the command should normally be: "iptables -t NAT -L"
In the firewall above you basicly first have the 3 policies (default rules).
Chain INPUT (policy DROP) (Block all trafick to the internal prosesses)
Chain FORWARD (policy DROP) (Block all trafick in to the LAN)
Chain OUTPUT (policy ACCEPT) (Open for all trafick out.)
Then there comes a lot of static exeptions, like small wholes in the wall that will accept a certain trafick in, as an excample:
"ACCEPT icmp -- anywhere anywhere icmp echo-request (Accept this kind of ping request.)"
In the end of the script there is one single rule that can mean than all those small and presisely described small openings.
"ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED"
This last one says: Activate the automatic and dynamic statefull inspection function. In real pracktical life this will mean something like "make an automatic opening for all trafick that is return traffick relative to trafick that is first initiated from the inside of the firewall.".
The 2.2.x firewall did not have this dynamic part it was static only, so you had to put in rather "big holes" in the firewall to make pass for the return trafick. With the new 2.4.x kernel and netfiler/iptables you get the return trafick handeled by the dynamic statfull inspection function so that the openings for the return trafic will be set dynamicly and automatic. Because of this it is possibly to design the firewall more presisely and with "smaller holes".
5 Replies
1012 Views