On Sat, Dec 01, 2001 at 09:02:34PM -0500, David B Harris wrote: > On Sun, 2 Dec 2001 11:36:20 +1000, > firstname.lastname@example.org wrote: > > I am trying to figure out which is the best way to do some > > masquerading of my internal LAN. > <snip> > > Which would be the best way in terms of efficiency and security? > > SNAT would be. However, you better make sure that each time the IP > address of your interface changes, your firewall script runs. You could > do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/. > But also please keep in mind that your firewall rules should be put in > place *before* any external interfaces are brought on-line. > > Since you can't determine the IP address without the interface being > on-line, your firewall should run in two parts; first, setting the > strict don't-accept-any-of-these-connections rules(in my case, I set the > policy of INPUT and FORWARD to DROP), a second script to set up the NAT. > Yeah, that is basically what I have been doing until now. I have a default "deny everything" firewall that gets loaded at boot. It only allows stuff on the loopback, everything else gets dropped by the default policies (DROP) for all chains. Then on connecting to the internet I run my real firewall script exactly as you say (from /etc/ppp/ip-up.d/0firewall-up (which is just a symlink to it). The first thing this script does is flush the chains and then again sets the default policies for all built-in chains to DROP (redundant for extra safety). Then it sets all the new rules. I have a similar symlink in /etc/ppp/ip-down.d/0firewall-down - which is a symlink to my deny everything firewall run at boot. Thus, there should never be a time when the default policies are not DROP from the time my computer boots. Since I already do all this, then I may as well get the benefit (slight probably) of using SNAT instead of MASQUERADE I guess. Please someone tell me if I am missing something and there is some other reason to use MASQUERADE instead of SNAT. The only other place I use my own internet IP address in my ruleset is to prevent spoofing of my own INET IP address. Here is this rule: $IPTABLES -A INPUT -i $INET_IF -s $INET_IP -j log_spoofed where log_spoofed just LOGs and then DROPs the packets. Any opinions on the matter are welcome. Thanks. Mark.
Description: PGP signature