Andrew Taylor wrote:
> I've been running ipchains to do masq'ing and fwd'ing for a while but the
> rules were never very good. I had loads of problems whilst setting up but
> managed to cobble something workeable together. I now want to set it up
> properly. I know how to make the rules etc and I think I've got the rules
> I want sorted. Could some one comment on the following and tell me what
> you think I'm trying to achieve and if I'm missing anything out.
>
> ------------------------
> Input Default - Deny (Deny Everything comming in)
Do *not* DENY auth (ident) connections; either ACCEPT or REJECT them.
Otherwise outbound connections may hang while the server attempts to
perform an ident lookup.
> ALL from 192.168.1.0 Accept (Allow anything coming over ethernet)
Then you want to accept 'all' from e.g. 'eth0'. Otherwise you will
accept forged packets.
> ALL from 192.168.2.0 Accept (As Above)
Ditto.
> ICMP from 0.0.0.0 ppp0 Accept (Allow ping requests etc over modem)
You may wish to accept only specific ICMP types/subtypes.
2.0.*/ipfwadm allows filtering by ICMP type. 2.2.*/ipchains allows
filtering by ICMP type and subtype.
Personally I wouldn't allow ICMP redirects (type 5) from the PPP link
(I don't know whether there is any actual risk, but I know that I
don't need to accept them, so I don't).
> SMTP from Demon 1 ppp0 Accept (Allow SMTP connections from isp's punt1)
> SMTP from Demon 2 ppp0 Accept (Allow SMTP connections from isp's punt2)
You may also need DNS (both UDP and TCP). If you are running BIND-8.*,
you need to allow for the fact that named uses a different port for
sending recursive queries (and receiving replies to them).
> Output Default - Accept (Allow output to anything?)
Yep; there is seldom any reason to restrict outbound packets.
> Forward Default - Deny (Don't Masq anything)
OK.
> ALL from 192.168.1.0 MASQ (Allow any local connection to be masq'd)
> ALL from 192.168.2.0 MASQ (Allow any local connection to be masq'd)
You should also check for the correct interface; you don't want to
masq/forward any forged 192.168.* packets which might arrive on the
PPP link.
> ----------------------------
>
> I *think* that should cover everything.
You also want to accept anything sent via the loopback interface.
You may also wish to reject/deny anything sent to or received from a
known broadcast/multicast address.
Also, I normally log anything which is denied, and terminate every
chain with a 'deny & log' rule (to log packets which would otherwise
be caught by the default policy).
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
