On Fri, 2004-02-20 at 16:40, jay wrote: > Ok i guess this is what i need to do with iptables... I need to deny all > but still be able to get on the internet... All this box will be used > for is e-mail and websurfing and the usual streaming media and so > forth.. > thanx > I think you should be able to set something simple like this using the firewall configuration tool that comes with Fedora. If you are using Gnome (and maybe KDE too) it's located in the "System Settings" submenu as "Security Level" I think all you really need to do is turn on the firewall. I have not done anything special and I can do all the things you mention above. Note that if you change your firewall settings that "Trusted services" are the services that you want to enable on your system and NOT services that you want to access on the internet. For example, selecting "WWW (HTTP)" will allow others to connect to your HTTP server. "Trusted devices" are devices that you TRUST; therefore, the firewall lets ALL traffic through on that device. If you want to share a single Internet connection with several other machines then you need tell the firewall to do NAT. It would probably be best to use one of the many firewall configuration tools available. If you search the archives for iptables you should find a reference to many of them. I have not taken the time to learn these tools yet so I use this is script. It's not very complicated but I think it gets the job done. I only allows traffic initiated on the internal network. I DROP all unwanted connections because there should not be any and dropping the packets means the guy on the other end is less likely to see that my firewall is even there. Your configuration may differ. Substitute eth1 with whichever network device is connected to the actual Internet. ==================== NAT FIREWALL RULES =================== #Disable port forwarding while we fix-up the filewall rules for NAT echo 0 > /proc/sys/net/ipv4/ip_forward #Flush all the current rules (for now at least). /sbin/iptables -F # Masquerade out eth1 /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # Disallow NEW and INVALID incoming or forwarded packets from eth1 /sbin/iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP /sbin/iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward