If this is the wrong list, please tell
me where i should post this.
Here is my iptables setup.
As you can see I want a very secure firewall (and gateway)
but i do want to have the ability to ssh from the outside
and i am still not sure how to go about it.
Anyway, here is my setup and
i would appreciate it if any
security gurus would comment on it.
#chmod 755 is needed to make this executable
#Turn on ip_forward with this command
echo 1 > /proc/sys/net/ipv4/ip_forward
#Clean up tables
#This allow maquerading
iptables -t nat -A POSTROUTING -j MASQUERADE
#This allow a connection to the gateway from inside the network
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.2 -j ACCEPT
iptables -A INPUT -s 192.168.2.20 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.20 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.3 -j ACCEPT
# Disallow NEW and INVALID incoming or forwarded packets from eth0.
#iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
#iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
#Most people just have a single PPP connection to the Internet,
#and don't want anyone coming back into their network, or the firewall:
## Create chain which blocks new connections, except if coming from
#I have an eth0 so i made tha appropriate changes
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block