On Monday 10 December 2007, [EMAIL PROTECTED] wrote: > Grant <[EMAIL PROTECTED]> writes: > >> > iptables -P INPUT DROP > >> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > >> > iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j > >> > ACCEPT > >> > >> This line is only needed if you want to forward packets to another > >> iface/device (i.e. when your laptop is acting as a router and the input > >> interface is eth0). > > > > Alright I guess I'll just set up shorewall on the laptop with a config > > similar to the router's. Maybe I'll set up shorewall on the other > > system in my local network while I'm at it. > > Wait... I'm pretty sure there are a few lines of IPTABLES code that > will do what you want. > > I remember using something with IPTABLES that made any connections > from internet only happen in response to requests from your localhost. > I don't remember the lines now but someone might post it.
The lines already posted will do just that. If you want to additionally stop any intruder spoofing a localhost address on your NIC and getting in you could add: iptables -A INPUT -i !eth0* -j ACCEPT * adjust for your iface > Wouldn't the above and not running any unnecessary services be pretty > good protection for what your after? Given that systems like e.g. Ubuntu server do not even have a firewall running would make you think so. The fact that while on the road you only stay connected for short periods of time would improve your chances too. However, every time you start an internet connection to a server you have open ports at random which could be discovered and exploited. It only takes a few seconds over broadband with a well crafted script. > I've hooked up to many networks while traveling without anything at > all (Except not running any unnecessary services) with windows based > laptop and never had a bit of trouble. So I'd expect a linux based > host to do even better. MS Windows XP runs a firewall as a default. Many programs open holes through it as soon as you install them allowing incoming connections. Assuming you are running as a plain user with a strong passwd, you have closed all holes in the firewall and do not point & click at all sort of malware links and payloads you should be good. Similar principles apply to Linux desktop machines except that once you set up your firewall no installed program other than a trojan will readily go and change it. Some distros which are trying to be 'user friendly' will however modify the firewall to allow newly installed services to get through, albeit will ask you about it first (I am thinking of OpenSuSE here). -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
