Re: about iptables

On 27 Apr 2006 15:45:54 -0700, "ParTizan" <ParTizanPuPkin@xxxxxxxxx> wrote:

Hi All,
I guess, this is a simple question, but I couldn't find an answer in
internet.

my setup:
dsl modem <---> linksys router+dhcp (192.168.1.1) <---> linux box (1
nic)

dhcp 192.168.1.1
dns1 71.0.0.1
dns1 151.0.0.2

Your firewall doesn't need to know about the DNS servers.

Bits of my firewall setup:
<http://bugsplatter.mine.nu/bash/firewall/> for net topology

rc.firewall:
....
X_LOCAL="eth0" # main local net: 100-Base-T
X_WORLD="ppp0" # expected ADSL modem interface
....
MSTATE="--match state --state"
....
report " policy"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

report " local"
iptables -A INPUT -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT ##[1]
iptables -A INPUT -p all -i lo -j ACCEPT
iptables -A INPUT -p all -i $X_LOCAL -j ACCEPT
....
[1] This comes first, it allows expected traffic back into the box

Now you need add rules to allow incoming traffic, if you are not
offering services to the public, you don't need any. ;)

Also:

# NAT table
# ``````````
# Perform SNAT or MASQUERADE for localnet to world connections

# Difference between SNAT and MASQUERADE?
# SNAT is more efficient for static public IP address, and established
# connections will survive a reconnect. MASQUERADE is for dynamic IP
# where established connections are dropped when link goes down as a
# new, likely different, IP address is expected on the next connection.

install_nat_table()
{
report " nat"
if [ -n "$IP_WORLD" ]; then
report " SNAT $IP_WORLD"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j SNAT --to-source $IP_WORLD
else
report " MASQUERADE"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j MASQUERADE
fi
}

[part of firewall startup, for context]

case $1 in
restart )
# called from ip-up when ADSL connection established, parameters:
# $1 restart -- anything else switches firewall to local mode
# $2 <interface> -- example ppp0
# $3 <IP>, optional -- if specified the output will be SNAT to the
# supplied IP address, otherwise MASQUERADE is used

install_firewall_local_mode
if [ -z "$2" ]; then
echo -e "\nrc.firewall: warning: restart without \c"
echo -e "<interface>, local mode running."
exit 0
else
X_WORLD=$2 # eg. ppp0
fi
if [ -z "$3" ]; then
IP_WORLD="" # MASQUERADE
else
IP_WORLD=$3 # SNAT to supplied IP address
fi
install_firewall_world_mode
echo -e "\n\nrc.firewall: finish: world mode running."
;;
....

Not posting the whole thing 'cos it's a ~600 line bash script.

Grant.
--
Memory fault -- brain fried
.

Relevant Pages

  • Re: Old TCP connections after IP address change
    ... Plug PC into adsl modem and hope for the best ... iptables: NAT: MASQUERADE vs SNAT, ... # connections will survive a reconnect. ...
    (comp.os.linux.networking)
  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)
  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Networking/Security Question...
    ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ...
    (freebsd-net)