On Mon, 11 Aug 2003 08:56, Glenn wrote: > Hi Guys, > <snip> > echo 1> /proc/sys/net/ipv4/ip_forward > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > You can see I am using an dial up connection to connect to the internet. > > The question is this. Am I leaving a really big security hole by doing > things this way? Or is this good enough for a home user on a dial up > connection.
From an iptables POV, it's fine. Slightly better would be iptable -t nat -A POSTROUTING -s <internal net>/<netmask> -d 0/0 -o ppp0 -j MASQUERADE This will stop bad things happening if you ISP get's its routes wrong. The rules above stop direct connections made to the internal computers, now the firewall is the weakest link. Have you checked what else is running on it? Is it really secure? If not, you should either stop the services and/or look at putting some iptable filter rules in. BTW: you might like to modprobe the following kernel modules ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc ip_nat_irc (if you use ftp and irc respectfully) > > Regards > Glenn. Later Lee Begg
