Re: Hi!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you are using snat/dnat to map internal IP's to the public realm, INPUT
will not block things that are being handled in this way - that is why the
FORWARD ruleset will also need entries in it, since that is explicitly
going to catch packets handled by snat/dnat.

<EOL>
Tib

On Sat, 11 Jun 2005, Sadus . wrote:

> I usually block only in the INPUT chain, doesn't it protect my internal
> network?
> I only have SNATed the internal network to the external IP/
>
> On Sat, 2005-06-11 at 12:16 -0500, Tib wrote:
> > Hi there,
> >
> > Thought I'd chip in since this used to be identical to how I had my system
> > setup. I had a block of 5 useable from my isp.
> >
> > Whichever you are going to use as your actual firewall box IP (as opposed
> > to the machines you want to run behind it), you set as eth0 ip config.
> >
> > After that you setup the other ip's as virtual interfaces on the same card
> > (eth0:1, eth0:2, etc). Set your internal IP nic to be eth1 and make sure
> > the routing table is set to go through it out to eth0 and the world. Have
> > your other internal IP boxes use eth1 as their gateway.
> >
> > After that, you setup destniation nat'ing using something like this:
> >
> > iptables -t nat -A PREROUTING -d $REAL-IP$ \
> >                 -j DNAT --to-destination $INTERNAL-IP$
> >
> > and
> >
> > iptables -t nat -A POSTROUTING -s $INTERNAL-IP$ \
> >                 -j SNAT --to-source $REAL-IP$
> >
> > for each internal/ip pair you want to have mapped.
> >
> > After you've done this - you're likely going to want to protect them from
> > certain types of traffic, since the basic INPUT rules won't cover it - put
> > anything you DON'T want to reach those hosts under the FORWARD ruleset as
> > drops.
> >
> > That's it - you're set.
> >
> > One item of note - be sure to put those snat/dnat rules into the table
> > BEFORE the catchall masquerading rule (if you use one) otherwise they will
> > hit the masquerade rule first and your traffic will not match in/out ip's
> > and things will bork up.
> >
> > This is a setup I've used for a number of years, it's nice and clean and
> > gives good protection through the forward ruleset. If you cover your bases
> > right and practice safe net, things like zone alarm become unnecessary.
> >
> > I blocked the following on forward and have done very well by it:
> >
> > udp:
> > 111
> > 135
> > 137
> > 138
> > 139
> > 445
> > 1026
> > 1433
> >
> > tcp:
> > 21
> > 57
> > 79
> > 80
> > 111
> > 135
> > 137
> > 138
> > 139
> > 443
> > 445
> > 1025
> > 1026
> > 1433
> > 5000
> > 31337
> >
> > These will vary depending on your particular software usage and such - but
> > are a good start.
> >
> > <EOL>
> > Tib
> >
> > On Sat, 11 Jun 2005, Billie Joe wrote:
> >
> > > Hi!
> > >
> > >
> > > I have 3 IPs on Internet, and I want to put them behind my firewall
> > > machine. So I have the question: Put all 3 IPs in the same network
> > > card (with alias) or a card for each IP ?? What you suggest and why ??
> > > Thanks
> > >
> > >
> > > pS.: Consider that I have another NIC for my LAN.
> > >
> > >
> > > BillieGDJoe
> > >
> >
>


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux