# ========================================================================= # $Id: forward.conf 41 2005-10-30 23:39:47Z s0undt3ch $ # ========================================================================= # The FORWARD chain in iptables dictates the fate of any packet # that wants to travel past this machine, in either direction. # The defaults here are reasonable for machines acting as routers # for a *private* subnet, or standalone machines connected to the # internet without a local network. You should edit this file if # any of the following are true: # # - the machine running ipkungfu is a firewall/gateway for machines # with *public* ip addresses # - you want to customize what parts of your local network are to # be allowed access to what internet services # - you simply want more granular control of traffic passing # through your firewall/gateway # # The syntax of most of this file is similar to that of vhosts.conf # and it serves a similar purpose. You cannot forward ports in # this file, though. Only packets already destined for a machine # on your network will be affected by this file. For that reason # this file can be used to customize how traffic is filtered that # has already been forwarded by vhosts.conf. # This sets the default policy for the FORWARD chain. The default # setting here is "ACCEPT" for standalone machines and private # subnets, since no packets will reach the FORWARD chain in the # first case, and outside forces cannot route packets on a private # network in the second case. Valid choices here are ACCEPT # and DROP (I recently learned that for reasons I don't understand # REJECT is not a valid policy for the FORWARD chain). FORWARD_POLICY=ACCEPT # Here is where you specify what hosts or nets on the Internet are # to be allowed to access what hosts or nets on your network, or # the other way around. The syntax is for this part of the file # is source:destination:port:protocol:target. All the colons are # required. If any part of the sequence is left blank, it will # not be matched. For example: # # :192.168.0.10:::ACCEPT # # The source host, port, and protocol have all been left blank, # meaning that any type of traffic from any source is permitted # to go to 192.168.0.10. Valid protocols can be found in # /etc/protocols. Valid targets are ACCEPT, REJECT, DROP, and # LOG. In the case of LOG, an optional sixth parameter may be # used to specify the log prefix. For example: # # 208.14.0.0/255.255.0.0:192.168.0.7:80:tcp:LOG:Webserver Hit # 208.14.0.0/255.255.0.0:192.168.0.7:80:tcp:ACCEPT # # In this case, all traffic from 208.14.*.* destined for # 192.168.0.7 on tcp port 80 is logged and accepted. Note # that both these rules are required, in this order, for the # traffic to be logged and accepted (unless your default # FORWARD policy is ACCEPT, in which case it will be # accepted unless otherwise specified). If a rule other than # LOG is encountered, the packet will be assigned the fate # of the specified target and stop traversing the FORWARD # chain. For this reason, logging rules must come before # any rule that specifies a type of filter, such as DROP, # REJECT, or ACCEPT. #0/0:192.168.0.10:23:tcp:LOG:Telnet #0/0:192.168.0.10:23:tcp:ACCEPT