Re: [gentoo-user] iptables help

Mon, 01 Sep 2003 18:13:01 +0000

gabriel wrote:
On September 1, 2003 01:23 pm, Andrew Gaffney wrote:

Based on replies on this list and another, I have come up with the
following iptables rules that work for me:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD ACCEPT
    iptables -F FORWARD
    iptables -t nat -F
    iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -P INPUT DROP


NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this:

accept everything incoming
accept everything outgoing
accept everything forwarding
forward all traffic from ppp0 to eth0
nat your internal lan to eth0
accept all established or related packets
accept all incoming packets from the internal lan
accept all incoming connections from any ip, on any interface on ports 22, 25, and 80.
drop everything else that's incoming.

i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure.

Here is a little background on my network. ppp0 is NOT an internet connection. It is an incoming dial-up connection used only by ME. I trust myself :) As for the actual internet connection, I have a router with an IP of 192.168.254.1 hooked to a T1 set to forward all incoming traffic to this particular box. This box only acts as a router for my own PPP connection. All boxes in the LAN use the router. So, what I am doing, if I understand iptables half as well as I think I do, is forwarding all traffic from my INTERNAL ppp0 interface out to the LAN/internet, allowing any box inside the LAN to connect to this box on any port, only allowing connections from outside the LAN to be made to ports 22, 25, and 80, and allowing in any traffic from outside the LAN that is part of an already established connection. Am I correct?

--
Andrew Gaffney


--
[EMAIL PROTECTED] mailing list

Reply via email to