On 06/28/2015 03:49 PM, Max Pyziur wrote:
From several sources, code, the stock CentOS iptables I've cobbled the
following /etc/sysconfig/iptables; while it works, I suspect that
there are holes:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
Some holes, yes. I'd recommend that your FORWARD table be similar to
INPUT. It should DROP by default, and ACCEPT on traffic coming in the
LAN interface and going out the WAN interface (and ESTABLISHED data).
As it is now, a host on your WAN interface could use your system as its
gateway, and you'd MASQ its traffic.
Possibly:
:FORWARD DROP [0:0]
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o eth1 -j ACCEPT
Best practice is to apply both egress and ingress filters as well. You
should only forward traffic to the WAN if the source address is one that
you use on your LAN. You should only forward traffic to your LAN if the
source is *not* an address you use in your LAN.
I think that looks like this in iptables, but I might be wrong...
:FORWARD DROP [0:0]
-A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s !
192.168.1.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o eth1 -s 192.168.1.0/24 -j ACCEPT
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
