firewall-init: README - updated
baggins
baggins at pld-linux.org
Tue Dec 29 22:39:46 CET 2009
Author: baggins Date: Tue Dec 29 21:39:46 2009 GMT
Module: firewall-init Tag: HEAD
---- Log message:
- updated
---- Files affected:
firewall-init:
README (1.14 -> 1.15)
---- Diffs:
================================================================
Index: firewall-init/README
diff -u firewall-init/README:1.14 firewall-init/README:1.15
--- firewall-init/README:1.14 Mon Sep 19 17:25:28 2005
+++ firewall-init/README Tue Dec 29 22:39:41 2009
@@ -66,21 +66,24 @@
# Connection tracking (defaults to yes as it's VERY usefull also on non-nat boxes)
CONNTRACK="yes"
-# Which IPv4 conntrack modules to load, can be "all" (old default), "none" or a list
+# Which conntrack modules to load, can be "all" (old default), "none" or a list
#CONNTRACK_MODULES="all"
#CONNTRACK_MODULES="ftp irc"
+# Which conntrack modules not to load (mms cannot be unloaded)
+#CONNTRACK_MODULES_BLACKLIST="mms"
# Which IPv4 nat modules to load, can be "all" (old default), "none" or a list
#NAT_MODULES="all"
#NAT_MODULES="ftp irc"
+# Which conntrack modules not to load (mms cannot be unloaded)
+#CONNTRACK_MODULES_BLACKLIST="mms"
# The ftp/irc options has been removed
# set them via /etc/modprobe.conf
-# Size (number of entries) of hash tables for connection tracking and NAT
+# Size (number of entries) of hash table for connection tracking
# default is 1/16384 of memory
CONNTRACK_HASHSIZE=
-NAT_HASHSIZE=
# Policies for chains ($proto_$table_$CHAIN):
# IPv4:
@@ -92,18 +95,28 @@
ipv4_nat_PREROUTING="ACCEPT"
ipv4_nat_POSTROUTING="ACCEPT"
+ipv4_mangle_INPUT="ACCEPT"
ipv4_mangle_OUTPUT="ACCEPT"
+ipv4_mangle_FORWARD="ACCEPT"
ipv4_mangle_PREROUTING="ACCEPT"
+ipv4_mangle_POSTROUTING="ACCEPT"
-ipv4_drop_DROPPING="DROP"
+ipv4_raw_OUTPUT="ACCEPT"
+ipv4_raw_PREROUTING="ACCEPT"
# IPv6:
ipv6_filter_INPUT="ACCEPT"
ipv6_filter_OUTPUT="ACCEPT"
ipv6_filter_FORWARD="DROP"
+ipv6_mangle_INPUT="ACCEPT"
ipv6_mangle_OUTPUT="ACCEPT"
+ipv6_mangle_FORWARD="ACCEPT"
ipv6_mangle_PREROUTING="ACCEPT"
+ipv6_mangle_POSTROUTING="ACCEPT"
+
+ipv6_raw_OUTPUT="ACCEPT"
+ipv6_raw_PREROUTING="ACCEPT"
V. Firewalls: /etc/sysconfig/firewall.d/$proto/$table
@@ -150,6 +163,9 @@
ipv4_nat_POSTROUTING_rules()
{
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
+# or, if you know your gateway external IP:
+ $iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 192.168.1.1
+
$iptables -t nat -A POSTROUTING -j DROP
}
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/firewall-init/README?r1=1.14&r2=1.15&f=u
More information about the pld-cvs-commit
mailing list