Re: problem with forward/nat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sunday 07 March 2004 3:13 am, Pierre Gillet wrote:

> hello,
>
> i have a small private network, 192.168.1.0 on eth1
> public network on eth0. the server running a dhcp server for private
> network.
>
> #iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED
> -j ACCEPT

1. Why have you commented out the above command?   It is necessary for teh 
reply packets to be able to return from the Internet to your LAN clients.

2. The above command should read "-i eth0 -o eth1" so that packets are allowed 
from the Internet (eth0) to your LAN (eth1).

I would recommend also that you change all your INPUT rules:

> iptables -A INPUT -i lo -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
> iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 23 -j ACCEPT

For a single rule instead:

> iptables -A INPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT

This will allow reply packets from anywhere in response to requests sent out 
by the firewall itself, without leaving your system vulnerable to, for 
example, port scans or access to services where the remote user just 
"happens" to select source port 443 (or any of the others you have listed).

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux