/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Chris Russell [mailto:[EMAIL PROTECTED]] wrote:
> Ok, that makes sense. I understand why a default policy of
> DROP would be best. Now, if I add the above rules, and the
> forwarding policy accepts packets destined for my internal
> network, are those packets dropped by the POSTROUTING chain
> in the nat table since the default policy on that chain is
> DROP (unless of course the packets are a result of
> ip-masqueraded packets that were outgoing earlier)? Just a
> reminder, the only rule that I have in that chain is:
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEV -j MASQUERADE
I believe this would work. However, you are only basing your MASQ'ing on
what device the traffic will be going out on. Since the traffic has not (or
should not have been) modified yet, I would add the source to this rule.
$IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o $EXTERNAL_DEV -j
MASQUERADE
This way, if one of your other rules happens to let something into the
firewall box, it becomes a little harder for your box to simply be used as a
forwarder (a masq'ing one at that). Granted, all that would be needed is
for them to change their IP address and get the traffic to the box.
However, that can be dealt with by having these two as your first rules for
their respective chains.
$IPTABLES -t mangle -I PREROUTING -s $INTERNAL_NET -i $EXTERNAL_DEV -j DROP
$IPTABLES -t nat -I PREROUTING -s $INTERNAL_NET -i $EXTERNAL_DEV -j DROP
This can seems to be a bit redundant. However, when striving for a strong
firewall, I feel it is best to have a default DROP policy and then
explicitly drop any traffic at the first stages of connection that I know I
don't want. To help make this happen, I use two custom chains.
$IPTABLES -t mangle -N block_mangle
$IPTABLES -t nat -N block_nat
I then put as the first entries in the PREROUTING chains for both tables.
$IPTABLES -t mangle -I PREROUTING -j block_mangle
$IPTABLES -t nat -I PREROUTING -j block_nat
Now, these two chains help with rule organization since from a security
stand point, I feel it is best to block unwanted traffic as soon as
possible. With these chains as the first entry in these tables, all inbound
traffic will pass through them first. Now whenever we find a new item to
block we just add it to the block chains and it becomes one of the first
rules to be checked. So, we change the previous rules to:
$IPTABLES -t mangle -I block_mangle -s $INTERNAL_NET -i $EXTERNAL_DEV -j
DROP
$IPTABLES -t nat -I block_nat -s $INTERNAL_NET -i $EXTERNAL_DEV -j DROP
Hope this helps.
Jamin W. Collins
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
