Correct me if I am from guys , but The changes between IPCHAINS , and IPTABLES is remarkable. If you set your rules up correctly , it is very secure .I tried out some of the new , and experimental modules included , and it is amazing. You can even block out syn connections in the opposite direction of a service that is running to stop someone from coming back trough the data channel , a link I enjoyed giving newbies a quick , but very good explanation about this was http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Peter Schmitteckert (list) Sent: 15 March 2001 07:14 To: [EMAIL PROTECTED] Subject: How secure is netfilter Dear Neltfilter gurus, I'm running Kernel 2.4.2, iptables 1.2 with masqerading on an ISDN flaterate line. Accepting only state RELATED,ESTABLISHED for incoming packets. I'd like to know how secure this really is. assuming I have no trojan on my private network, do have to worry about attackers? I'm asking since I realized that even on my dial-up connection I get several strange packets per day (not related to sites I recently had a connection to). Sure, I'm running tripwire and have carefully setup my inetd.conf and services, but can I go to friends and say install Linux/iptables use Rustys simple rules and that's it? Best wishes Peter =============================================== Start script: ================================================ #!/bin/sh #-------------------------------------------------------- # Initialize Firewall #-------------------------------------------------------- /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp iptables -N block-ippp0 iptables -A block-ippp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block-ippp0 -m state --state NEW -i ! ippp0 -j ACCEPT iptables -A block-ippp0 -i ippp0 -m limit -j LOG --log-prefix "Bad packet from ippp0:" iptables -A block-ippp0 -i ! ippp0 -m limit -j LOG --log-prefix "Bad packet not from ippp0:" iptables -A block-ippp0 -j DROP iptables -A INPUT -j block-ippp0 iptables -A FORWARD -j block-ippp0 #-------------------------------------------------------- # Masqerading SNAT #-------------------------------------------------------- iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward # ..... Initialize i4l and ippp0 ================================================================= iptables -n -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 140K 145M block-ippp0 all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 132K 52M block-ippp0 all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 177206 packets, 17930051 bytes) pkts bytes target prot opt in out source destination Chain block-ippp0 (2 references) pkts bytes target prot opt in out source destination 267K 196M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4766 289K ACCEPT all -- !ippp0 * 0.0.0.0/0 0.0.0.0/0 state NEW 62 15886 LOG all -- ippp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Bad packet from ippp0:' 0 0 LOG all -- !ippp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Bad packet not from ippp0:' 169 47273 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
