On 8/7/2012 10:08, Matt Graham wrote:
From: Derek Trotter <expat.arizo...@gmail.com>
Recently I got dsl and decided to have my linux box pass on traffic to
my windows box rather than buying a firewall.
[snip]
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
192.168.0.2:40998
# packets on port 40998 forwarded to internal windows machine
That's what the above iptables rule is actually doing. No real problems, just
that you'll have to use a different port if you're using bittorrent on the
Linux box.
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
-j ACCEPT
# Allows me to surf the web from windows box
[snip similar rules for port 53 tcp/udp]
You'll probably want a similar rule for port 443, unless you never use HTTPS
from the windows box.
That's a good idea to do this for port 443. However the rules for port
80 were only needed for the linux box. After I put in the drop rule for
eth0 at the end, I could no longer use a browser from the linux box.
Also apt-get didn't work. Both worked after I put in the rules for port
80 and the rules for port 53. I never had any trouble surfing the web
from the windows box either before the drop rule was added or before the
rules for port 80 and port 53 were added.
Now that I think about it, it seems to me the rules for nat would not
allow incoming connections from any malware unless some malware was
already on the windows box. It would have to initiate the connection.
It seems to me it might be a good idea to block everything coming from
the windows box unless it's something I want such as http, ftp, ssh,
email, bittorrent, etc. Would it work if I put a drop rule at the end
like the one below, but for eth1 then open the ports I need like I did
for ports 80 and 53 on eth0? Or is that overkill? I have avast on the
windows box and kept the default settings for it updating itself which
it does at least once a day.
Thanks
Derek
iptables -A INPUT -i eth0 -j DROP
Putting a default DROP like that at the end of INPUT is OK, you just have to
make sure you allow all the things you'll need to access from outside. Like
ssh, or a VPN, or other stuff like apache/postfix. It's annoying to iptables
yourself out of your home box from outside. There are other things that often
get done to INPUT, like blocking incoming from 10.0.0.0, 192.168.0.0,
127.0.0.0, and multicast, but having a default DROP sort of covers all of
those....
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
