-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 11 Aug 2003, Glenn wrote:
> echo 1> /proc/sys/net/ipv4/ip_forward > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > The question is this. Am I leaving a really big security hole by doing > things this way? Or is this good enough for a home user on a dial up > connection. It doesn't leave any inbound hole to machines behind the gateway, since it will only unmasquerade traffic which it already has a connection tracking entry for, and that will only be outbound connections. However, you might want to apply the same thing to connections from the host iself, to close that as a potential hole: iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ppp0 -j DROP This will drop all traffic not for existing outbound connections from the host itself traversing your ppp connection. It will not matter what you have listening on ppp0, unless you initate a connection out, it will always be dropped. Note: this will ALSO mean no-one will be able to ping your box, but useful ICMP for connections WILL get through. It won't break, for example, path MTU discovery. It also won't break your ability to ping others. A really common mistake with people setting up firewalls is to fall into the "ICMP is bad" trap, and drop all of it. Never do this. You may wish to add some anti-spoofing, you can either add rules for this, or enable route-based filtering: echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - -- David Zanetti <[EMAIL PROTECTED]> | (__) #include <geek/unix.h> | ( oo Mooooooo "Hope.. is a dangerous thing." | /(_O ./ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/NuV4T21+qRy4P+QRAqagAJ0bUT9Dz7l6qV6ui6RVHy8WzLk9zgCglF03 tB4z9taas7PQwO4rJ2hhLfA= =vwbt -----END PGP SIGNATURE-----
