I'm setting up a machine for a friend. I have static IPs but he has ADSL (so I can't test the config until I go and install the machine).
The machine will MASQUERADE in internal lan on eth1 (using dhcpd to server up 192.168.1.x IPs). I'm using dnsmasq for dns caching for the internal lan and for this machine. I'm only opening up ssh on the external eth0. I assume this is a reasonably common setup for home use. I'm using my own set of iptables rules. I'm not using Debian's iptables init.d script to save and restore the rules, rather just running my own script from a /etc/init.d script. So, my current iptables script uses eth0 as the external interface. I assume this should be ppp0 when running pppoe. On boot (before pppoe is running) should I leave it at eth0 and then when pppoe starts should I have a /etc/ppp/ip-up.d version that uses ppp0 instead of eth0? I'd like both (ppp0 when using ADSL and eth0 otherwise) incase the machine ends up on a static IP again. Again, this would seem to be a common home network setup. Are there any suggested firewall/MASQ scripts to use? I'm currently using: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html and thinking about changing to: http://www.linuxhelp.net/guides/iptables/ One last question: On my other machines using ipchains I block both INPUT and OUTPUT and specifically set rules for both directions. That is, to open up ssh I did: ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $SSH_REMOTE_PORTS \ -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 22 \ --destination-port $SSH_REMOTE_PORTS -j ACCEPT But the iptables scripts I've found seem to allow everything outgoing and just block new connections coming in. I perfer the ipchanins method above so that I can track what's outgoing, but maybe that's pointless (pointless because some "bad" program could just use the non-blocked ssh port to send out from). Anyone have comments about that? Thanks, -- Bill Moseley mailto:[EMAIL PROTECTED]
