Another thought, if you're attempting to allow wireless clients internet access, do you intend to allow them access to the linux box directly? If not, you might want to express that in your rules in some fashion (ala iptables -A INPUT -i eth2 -d 192.168.3.1 -j REJECT). If you do, you still might want to close it down a bit more, and only allow ports you expect traffic to be coming in on (ssh, web, etc). Note, if you're going to be using Samba from the wireless lan, ignore that - it requires you open everything above 1024, so it's hardly worth bothering. :) You could still firewall off "historically more vulnerable" services, but you're better off doing a touch more legwork and getting them not to bind to that interface to start with.
Hope that helps! Aaron S. Joyner
Michael Hrivnak wrote:
I'm just looking for some feedback on my rules with iptables. The machine will be running nat in my home. eth0 is a cable modem, eth1 is a wired lan with ip range 192.168.1. and eth2 is a wireless access point serving ip range 192.168.3. One goal is to keep wireless clients from accessing wired clients.
Do you see any potential problems? Is there a better way to do this?
iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -i eth2 -o eth1 -j DROP iptables -A FORWARD -i eth1 -o eth2 -j DROP iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.3.0/24 -j ACCEPT iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Thanks a lot,
Michael Hrivnak
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
