[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
> Still I have to go from iptable newbie to guru status - so
> expect more news soon.
I have to admit I kinda like iptables. The FTP and IRC connection tracking
modules are great for opening up ports in stupid protocols like active ftp
or IRC's dcc.
I just wish that someone would make the configuration a little more
friendly.
For those of you who haven't seen Darren Reed's ipfilter (packet filtering
for *BSD, Solaris, SunOS, IRIX, HP-UX and even QNX), then it's syntax is
something like:
block in on tun0
block in log quick on tun0 from 192.168.0.0/16 to any
block in log quick on tun0 from 172.16.0.0/12 to any
block in log quick on tun0 from 10.0.0.0/8 to any
block in log quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from 0.0.0.0/8 to any
pass out quick on tun0 proto tcp/udp from 20.20.20.1/32 to any keep
state
pass out quick on tun0 proto icmp from 20.20.20.1/32 to any keep
state
pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80
flags S keep state
Which, in my opinion is far more readable than the swathe of
iptables/ipchains options! (-s --destp, etc).
However, what iptables doesn't seem to do is combine it's connection
tracking stuff into NAT. For example with ipf I was able to set up NAT like
so:
map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
map tun0 192.168.1.0/24 -> 0/32
and it would allow me to use active mode ftp from any host on the NATed
network. iptables doesn't *seem* to do that quite yet (i.e. I can only do
active ftp from the gateway host).
Still - I'm sure it'll develop with time...
J.
--
Jon Still E-mail: jon@xxxxxxxxxxx
System Administrator Web: http://www.tertial.org/
tertial.org Tel: +44 (0)7977 066087
--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.