RE: is iptables enough?
> root@syydelaervli:~# iptables-save
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *nat
> :PREROUTING ACCEPT [17038:1364291]
> :POSTROUTING ACCEPT [1561:131055]
> :OUTPUT ACCEPT [7155:558179]
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
> --to-ports 44444
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT
> --to-destination 192.168.1.17
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT
> --to-destination 192.168.1.17
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *filter
> :INPUT DROP [1323:393571]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [399596:206648275]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i ! ppp0 -j ACCEPT
> -A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit
> 10/min -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
> icmp-port-unreachable
> -A INPUT -p tcp -m tcp --dport 44444 -j ACCEPT
> -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP
> -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:INPUT "
> -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT
> -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:FORWARD "
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
You should DROP (REJECT? :-) ) packets with state INVALID at the start of
{INPUT/FORWARD/OUTPUT}.
Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
interface lo, and drop
non-routable stuff coming from public interface.
Also, I do not really like the ACCEPT ALL FROM ! ppp0 style. It certainly
works on your config,
but will have to be rewritten (at least, looked at carefully) whenever you
add an interface.
I prefer to explicitely name existing interfaces and their associated
networks.
Reply to: