[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sat, Dec 01, 2001 at 09:02:34PM -0500, David B Harris wrote:
> On Sun, 2 Dec 2001 11:36:20 +1000,
>   mdevin@ozemail.com.au wrote:
> > I am trying to figure out which is the best way to do some
> > masquerading of my internal LAN.
> <snip> 
> > Which would be the best way in terms of efficiency and security?
> SNAT would be. However, you better make sure that each time the IP
> address of your interface changes, your firewall script runs. You could
> do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/.
> But also please keep in mind that your firewall rules should be put in
> place *before* any external interfaces are brought on-line.
> Since you can't determine the IP address without the interface being
> on-line, your firewall should run in two parts; first, setting the
> strict don't-accept-any-of-these-connections rules(in my case, I set the
> policy of INPUT and FORWARD to DROP), a second script to set up the NAT.
Yeah, that is basically what I have been doing until now.  I have a
default "deny everything" firewall that gets loaded at boot.  It only
allows stuff on the loopback, everything else gets dropped by the
default policies (DROP) for all chains.  Then on connecting to the
internet I run my real firewall script exactly as you say (from
/etc/ppp/ip-up.d/0firewall-up  (which is just a symlink to it).  The
first thing this script does is flush the chains and then again sets the
default policies for all built-in chains to DROP (redundant for extra
safety).  Then it sets all the new rules.

I have a similar symlink in /etc/ppp/ip-down.d/0firewall-down - which is
a symlink to my deny everything firewall run at boot.

Thus, there should never be a time when the default policies are not
DROP from the time my computer boots.

Since I already do all this, then I may as well get the benefit (slight
probably) of using SNAT instead of MASQUERADE I guess.

Please someone tell me if I am missing something and there is some other
reason to use MASQUERADE instead of SNAT.

The only other place I use my own internet IP address in my ruleset is
to prevent spoofing of my own INET IP address.  Here is this rule:
$IPTABLES -A INPUT -i $INET_IF -s $INET_IP -j log_spoofed
where log_spoofed just LOGs and then DROPs the packets.

Any opinions on the matter are welcome.


Attachment: pgpEsgKXf4xXu.pgp
Description: PGP signature

Reply to: