Basic firewal for masquerading use
I have a simple cable modem + internal LAN setup. The cable modem connects to
an ethernet board on the firewall and the LAN connects to annother ethernet
board on the same box.
Linux 2.2.19 and debian potato are used on the firewal.
All ports on the external interface are closed except ssh for admin and some
scp (when files need to be exchanged) and http for my personal webserver.
my ipchains are these:
:input ACCEPT
:forward DENY
:output ACCEPT
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 23:23 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 -p 6 -t 01 08
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -t 01 10
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -t 01 10
This is basic masq setup plus some rules to give better responsiveness for
http and such.
My question is what else should I do?
What rules should I add to try to prevent Dos attacks?
What else should I filter?
PS: Changin to iptables and 2.4 is not on my todo list for now since I don't
consider it stable enough.
Greetings from Portugal,
Pedro Corte-Real.
Reply to: