Firewall for pppoe

To: debian-firewall@lists.debian.org
Subject: Firewall for pppoe
From: Bill Moseley <moseley@hank.org>
Date: Thu, 21 Nov 2002 15:24:39 -0800
Message-id: <3.0.3.32.20021121152439.029c2d00@pop3.hank.org>

I'm setting up a machine for a friend.  I have static IPs but he has ADSL
(so I can't test the config until I go and install the machine).

The machine will MASQUERADE in internal lan on eth1 (using dhcpd to server
up 192.168.1.x IPs).  I'm using dnsmasq for dns caching for the internal
lan and for this machine.  I'm only opening up ssh on the external eth0.

I assume this is a reasonably common setup for home use.

I'm using my own set of iptables rules.  I'm not using Debian's iptables
init.d script to save and restore the rules, rather just running my own
script from a /etc/init.d script.

So, my current iptables script uses eth0 as the external interface.  I
assume this should be ppp0 when running pppoe.  On boot (before pppoe is
running) should I leave it at eth0 and then when pppoe starts should I have
a /etc/ppp/ip-up.d version that uses ppp0 instead of eth0?

I'd like both (ppp0 when using ADSL and eth0 otherwise) incase the machine
ends up on a static IP again.

Again, this would seem to be a common home network setup.  Are there any
suggested firewall/MASQ scripts to use?  I'm currently using:

http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html

and thinking about changing to:

http://www.linuxhelp.net/guides/iptables/

One last question:

On my other machines using ipchains I block both INPUT and OUTPUT and
specifically set rules for both directions.  That is, to open up ssh I did:

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             --source-port $SSH_REMOTE_PORTS \
             -d $IPADDR 22 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             --destination-port $SSH_REMOTE_PORTS -j ACCEPT

But the iptables scripts I've found seem to allow everything outgoing and
just block new connections coming in.  I perfer the ipchanins method above
so that I can track what's outgoing, but maybe that's pointless (pointless
because some "bad" program could just use the non-blocked ssh port to send
out from).

Anyone have comments about that?

Thanks,







-- 
Bill Moseley
mailto:moseley@hank.org

Reply to:

Follow-Ups:
- Re: Firewall for pppoe
  - From: Jason McCarty <bclg@iup.edu>

Prev by Date: Re: policy DROP and 1 rule
Next by Date: Re: Firewall for pppoe
Previous by thread: Re: Newbie can't get firewall to quit working
Next by thread: Re: Firewall for pppoe
Index(es):
- Date
- Thread