Re: activating ipchains & ip masqurading ...
On Tue, 28 May 2002 15:30:04 +0200
"Marcus Przyklink" <downhill@uchusphere.de> wrote:
> Jamin W. Collins wrote:
> > On Tue, 28 May 2002 15:02:24 +0200
> > "Marcus Przyklink" <downhill@uchusphere.de> wrote:
> > > wotan:~ # cat masquerading
> > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > echo 1 >/proc/sys/net/ipv4/ip_forward
> >
> > I trust you understand just how insecure that script is, right?
>
> I think for a home-LAN, say a trusted LAN, it's ok, and I've understood
> that the question was for such a LAN to connect to the internet.
> If I got something wrong, one way or the other, please correct me.
I believe you understood both questions, and the posted script will
provide the basic functionality. However, the insecurities that I'm
referring to are not concerning how the script behaves with your internal
(aka trusted) segment so much as the external (aka untrusted) segment.
With the above script, you've left all policies at their defaults of
"ACCEPT". Thus, the NAT'ing box is fully exposed to the internet. Unless
you've taken other steps to limit/eliminated unused services, this box is
most likely open in one way or another. Don't get me wrong, I'm aware
that a box without a firewall at all can be just as secure (possibly even
more so) than one with one. However, if you are already using the
firewall tool to provide NAT'ing for your network, you might want to
consider using it's other features to add another layer of protection to
your network.
--
Jamin W. Collins
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: