Re: Hi!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I usually block only in the INPUT chain, doesn't it protect my internal
network?
I only have SNATed the internal network to the external IP/

On Sat, 2005-06-11 at 12:16 -0500, Tib wrote:
> Hi there,
> 
> Thought I'd chip in since this used to be identical to how I had my system
> setup. I had a block of 5 useable from my isp.
> 
> Whichever you are going to use as your actual firewall box IP (as opposed
> to the machines you want to run behind it), you set as eth0 ip config.
> 
> After that you setup the other ip's as virtual interfaces on the same card
> (eth0:1, eth0:2, etc). Set your internal IP nic to be eth1 and make sure
> the routing table is set to go through it out to eth0 and the world. Have
> your other internal IP boxes use eth1 as their gateway.
> 
> After that, you setup destniation nat'ing using something like this:
> 
> iptables -t nat -A PREROUTING -d $REAL-IP$ \
>                 -j DNAT --to-destination $INTERNAL-IP$
> 
> and
> 
> iptables -t nat -A POSTROUTING -s $INTERNAL-IP$ \
>                 -j SNAT --to-source $REAL-IP$
> 
> for each internal/ip pair you want to have mapped.
> 
> After you've done this - you're likely going to want to protect them from
> certain types of traffic, since the basic INPUT rules won't cover it - put
> anything you DON'T want to reach those hosts under the FORWARD ruleset as
> drops.
> 
> That's it - you're set.
> 
> One item of note - be sure to put those snat/dnat rules into the table
> BEFORE the catchall masquerading rule (if you use one) otherwise they will
> hit the masquerade rule first and your traffic will not match in/out ip's
> and things will bork up.
> 
> This is a setup I've used for a number of years, it's nice and clean and
> gives good protection through the forward ruleset. If you cover your bases
> right and practice safe net, things like zone alarm become unnecessary.
> 
> I blocked the following on forward and have done very well by it:
> 
> udp:
> 111
> 135
> 137
> 138
> 139
> 445
> 1026
> 1433
> 
> tcp:
> 21
> 57
> 79
> 80
> 111
> 135
> 137
> 138
> 139
> 443
> 445
> 1025
> 1026
> 1433
> 5000
> 31337
> 
> These will vary depending on your particular software usage and such - but
> are a good start.
> 
> <EOL>
> Tib
> 
> On Sat, 11 Jun 2005, Billie Joe wrote:
> 
> > Hi!
> >
> >
> > I have 3 IPs on Internet, and I want to put them behind my firewall
> > machine. So I have the question: Put all 3 IPs in the same network
> > card (with alias) or a card for each IP ?? What you suggest and why ??
> > Thanks
> >
> >
> > pS.: Consider that I have another NIC for my LAN.
> >
> >
> > BillieGDJoe
> >
> 
-- 
Sadus . <sadus@xxxxxxxxxxxx>
Swiftbin.net



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux