wiki:IPtablesRules

IPtables Rules

The rules created by Vuurmuur can be shown by running the vuurmuur command with the bash output option (-b).

Output rule

A normal output rule with logging enabled. The first line is the logging line, the second accepts the traffic. For an output rule select firewall as the source of the rule.

Accept service http from firewall to world.inet options log,logprefix="http out"
/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --syn -s 1.2.3.4/255.255.255.255 --sport 1024:65535 -d 0.0.0.0/0.0.0.0 --dport 80 -m state --state NEW -j LOG --log-prefix "vrmr: ACCEPT http out "
/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --syn -s 1.2.3.4/255.255.255.255 --sport 1024:65535 -d 0.0.0.0/0.0.0.0 --dport 80 -m state --state NEW -j ACCEPT

Input rule

For an input rule, select the firewall as destination. Also shown here is the rule limit. This rule will match only one time per second on avarage, with a burst of 2.

Accept service ssh from world.inet to firewall options log,logprefix="ssh in",limit="1",burst="2"
/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 22 -m limit --limit 1/s --limit-burst 2 -m state --state NEW -j LOG --log-prefix "vrmr: ACCEPT ssh in "
/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 22 -m limit --limit 1/s --limit-burst 2 -m state --state NEW -j ACCEPT

Firewall vs. Firewall(any)

Here we see a simple example of an incoming ftp rule. In the case of 'firewall' the ipaddress of the interface attached to the network 'world.inet' is used. In the case of 'firewall(any)', no filtering on the firewall's ipaddress is done. This can be useful if you want to be able to ftp to the other interfaces of the firewall as well.

Accept service ftp from world.inet to firewall
/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 -d 1.2.3.4/255.255.255.255 --dport 21 -m state --state NEW -j ACCEPT
Accept service ftp from world.inet to firewall(any)
/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
Last modified 11 years ago Last modified on 09/03/07 20:58:07