# =========================================================================
# $Id: forward.conf 41 2005-10-30 23:39:47Z s0undt3ch $
# =========================================================================

# The FORWARD chain in iptables dictates the fate of any packet 
# that wants to travel past this machine, in either direction.
# The defaults here are reasonable for machines acting as routers 
# for a *private* subnet, or standalone machines connected to the 
# internet without a local network.  You should edit this file if 
# any of the following are true:
# 
# - the machine running ipkungfu is a firewall/gateway for machines
#         with *public* ip addresses
# - you want to customize what parts of your local network are to
#         be allowed access to what internet services
# - you simply want more granular control of traffic passing
#         through your firewall/gateway
#
# The syntax of most of this file is similar to that of vhosts.conf
# and it serves a similar purpose.  You cannot forward ports in 
# this file, though.  Only packets already destined for a machine
# on your network will be affected by this file.  For that reason
# this file can be used to customize how traffic is filtered that
# has already been forwarded by vhosts.conf.

# This sets the default policy for the FORWARD chain.  The default
# setting here is "ACCEPT" for standalone machines and private
# subnets, since no packets will reach the FORWARD chain in the
# first case, and outside forces cannot route packets on a private
# network in the second case.  Valid choices here are ACCEPT
# and DROP (I recently learned that for reasons I don't understand
# REJECT is not a valid policy for the FORWARD chain).
FORWARD_POLICY=ACCEPT

# Here is where you specify what hosts or nets on the Internet are
# to be allowed to access what hosts or nets on your network, or
# the other way around.  The syntax is for this part of the file
# is source:destination:port:protocol:target.  All the colons are
# required.  If any part of the sequence is left blank, it will
# not be matched.  For example:
#
# :192.168.0.10:::ACCEPT
#
# The source host, port, and protocol have all been left blank,
# meaning that any type of traffic from any source is permitted
# to go to 192.168.0.10.  Valid protocols can be found in
# /etc/protocols.  Valid targets are ACCEPT, REJECT, DROP, and
# LOG.  In the case of LOG, an optional sixth parameter may be
# used to specify the log prefix.  For example:
#
# 208.14.0.0/255.255.0.0:192.168.0.7:80:tcp:LOG:Webserver Hit
# 208.14.0.0/255.255.0.0:192.168.0.7:80:tcp:ACCEPT
# 
# In this case, all traffic from 208.14.*.* destined for
# 192.168.0.7 on tcp port 80 is logged and accepted.  Note
# that both these rules are required, in this order, for the
# traffic to be logged and accepted (unless your default
# FORWARD policy is ACCEPT, in which case it will be
# accepted unless otherwise specified).  If a rule other than
# LOG is encountered, the packet will be assigned the fate
# of the specified target and stop traversing the FORWARD
# chain.  For this reason, logging rules must come before
# any rule that specifies a type of filter, such as DROP,
# REJECT, or ACCEPT.

#0/0:192.168.0.10:23:tcp:LOG:Telnet
#0/0:192.168.0.10:23:tcp:ACCEPT