Firewall rules on a router?

mhoppes · February 4, 2011, 2:33pm

I’m fairly new to the MT system (coming from a Cisco background).

I have several MTs configured as switches in my network, but am just installing the first MT as a router.

My question is, right now my firewall is this:

Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp

1 chain=input action=accept connection-state=established in-interface=Level3

2 chain=input action=accept connection-state=related in-interface=Level3

3 chain=input action=drop in-interface=Level3

However, being that this is a router, I want to allow un-established packets to come in our provider (Level3) to their destination. What is the proper way to setup the firewall to prohibit outside IPs from accessing it directly, while still allowing proper IP routing from the external to the internal interface?

mrz · February 4, 2011, 2:58pm

from external to internal interface is forward chain.
Input chain is only for packets which destination is router itself.

mhoppes · February 4, 2011, 5:05pm

Thanks.

So if I understand correctly this:

0 chain=input action=accept protocol=icmp

1 chain=input action=accept protocol=tcp src-address=208.xxx.xxx.xxxx

2 chain=input action=accept protocol=tcp src-address=8.xxx.xxx.xxx

3 chain=input action=drop

Should allow management of the router only from the two IPs above, but will allow traffic to flow in and out freely, yes?

fewi · February 4, 2011, 5:35pm

Yes