Re: iptables-save/restore with dynamic IP
martin f krafft wrote:
also sprach Martin G.H. Minkler <firstname.lastname@example.org> [2004.10.21.1345 +0200]:
Although it is hardly imaginable that someone <tm> manages to
spoof the interface match, I wanted my rules as tight as possible
thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d
$IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it
would naturally all be solved if I refrained from using variables
and resorted to -i ppp0 instead.
Why do you want your rules to be as tight as possible? While
I fundamentally agree with this approach, I don't really see an
added value for limiting the destination address.
The basic idea was to double-latch things, if one criterium could be
spoofed the other would still hold. When it comes to a pppoe connection
the single IP and gateway provided by the ISP certainly limit the
probability of any of that happening, on the other hand I have seen bad
setups in which a LAN and a gateway with just one NIC were sharing a
switch - filtering $DEV_INET would mean filtering $DEV_LAN at the same
time. Well, looks like I still have to think up a situation where this
rule would provide any additional protection though ;-)
You do know that there are plenty firewall scripts for iptables
Sure, I just like fiddling with things under the hood, messing them up
and putting them back together ;-)
IMHO with a bit of knowledge it is sometimes much easier to quickly act
upon tsunamis of worms sweeping through a LAN from a few infected
M$-boxes. Dropping their MAC-adresses so they can't bug the outside
world is often more a question of speed than comfortable configuration
(and eventually necessary stop/start steps).
For quick and easy setups I enjoy shorewall very much.