[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Basic firewal for masquerading use



I have a simple cable modem + internal LAN setup. The cable modem connects to 
an ethernet board on the firewall and the LAN connects to annother ethernet 
board on the same box.

Linux 2.2.19 and debian potato are used on the firewal.

All ports on the external interface are closed except ssh for admin and some 
scp (when files need to be exchanged) and http for my personal webserver.

my ipchains are these:

:input ACCEPT
:forward DENY
:output ACCEPT
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 23:23 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 -p 6 -t 01 08
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -t 01 10

This is basic masq setup plus some rules to give better responsiveness for 
http and such.

My question is what else should I do?
What rules should I add to try to prevent Dos attacks?
What else should I filter?


PS: Changin to iptables and 2.4 is not on my todo list for now since I don't 
consider it stable enough. 

Greetings from Portugal,

Pedro Corte-Real.



Reply to: