iptables firewall do-over
- From: William Gill <noreply@xxxxxxxxxxx>
- Date: Mon, 18 Jun 2007 22:59:41 GMT
I am revisiting my firewall and before I begin, I need to make sure my
understandings are right.
Here's the geography:
WAN (Internet) public routable IPs
Interface (ppp0)
fw machine
interface (eth1)
LAN private non-routable IPs
Assuming NAT is setup correctly, Here's what I'm thinking.
Since the LAN uses only non-routable IP's, and there is no one on the
LAN that I'm worried about, I only need to focus on NEW packets from
ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state NEW). Any NEW packets from the WAN are blocked from the LAN by virtue of non-routable IP addresses.
Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP. Then by looking at specific ports, protocols, and interface sources, selectively jump to ACCEPT. Everything else should fall through to the default policy (DROP). It almost sounds like I could get away with one rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.
If these assumptions are correct, is there anything onppp0 --state NEW that should get accepted?
Bill
.
- Follow-Ups:
- Re: iptables firewall do-over
- From: Clifford Kite
- Re: iptables firewall do-over
- From: Juha Laiho
- Re: iptables firewall do-over
- From: Mouquiette
- Re: iptables firewall do-over
- Prev by Date: Re: Setting FQDN for slrn
- Next by Date: autofs disk space allocations
- Previous by thread: Creating fragmentation
- Next by thread: Re: iptables firewall do-over
- Index(es):
Relevant Pages
|
