/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Chris Russell [mailto:[EMAIL PROTECTED]] wrote:
> Here's my attempt at a "strong" ruleset
> (this has been boiled down from the HowTo and from
> Bastille-Linux's stuff):
(snip)
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -t nat -P PREROUTING ACCEPT
I think it's fairly safe to say that no "strong" rule-set can be made by
starting with default ACCEPT policies. It is much safer to drop everything
by default and only allow what you specify through.
> The thing I'm worried about here specifically, is that if I
> put the default policy on the FORWARD chain to deny, IP
> Masquerading does not work--contrary to what I've read in the
> howto and elsewhere. Any ideas why?
Yes, because by Masq'ing your network you are "forwarding" the packets from
one network to another. As a by product, you are altering their source
address, but you are "forwarding" the packets none the less. Thus, you need
a rule on the FORWARD chain to allow the traffic through. In your case it
would be something like:
$IPTABLES -t filter -I FORWARD -P DROP
$IPTABLES -t filter -I FORWARD -s $INTERNAL_NET -j ACCEPT
NOTE: this is only what would be needed on the FORWARD chain of the filter
table. As stated above, if you are looking for a strong firewall rule set
you really need to look into a default DROP policy for all chains.
> Also, if anyone who
> know iptables well could take a look at this and tell me if
> it's reasonably secure, it would be much appreciated!
Well, the default ACCEPT policies are a problem. If you are looking for a
more secure iptables script, get the next release of my iptables firewall
script. I'm in the process of reworking it to have a default DROP policy
for all chains and should have the new version available by the weekend.
http://www.asgardsrealm.net/linux/firewall
Jamin W. Collins
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
