Thread: Firewall ACLs
View Single Post
  #8  
Old 13th October 2006, 15:25
rdutton rdutton is offline
Junior Member
 
Join Date: Sep 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks punto for you explanation.

Just something extra in case people came across the same problem I did..

In additional to the file "post-rule-setup.sh" you can also add a file called "pre-chain-split.sh" in the same directory. Any commands you put in "pre-chain-split.sh" will be executed BEFORE the standard firewall rules.

This is useful when you want to allow packets through which are normally dropped due to preceding firewall rules.

e.g. I added rules to allow samba just for my home IP address:

iptables -A INPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A INPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT

There is 4 rules to account for the variations of UDP/TCP and INPUT/OUTPUT chains.

The iptables commands explained:
-A Which chain to append the rule to
-s The source address(es)
-p protocol (udp/tcp for samba)
-m Modules to load (in this case multiport)
--destination-ports The parameter to the mulitport module specifying the samba ports.
-j Jump to another chain. In this case ACCEPT
Reply With Quote