If you are using snat/dnat to map internal IP's to the public realm, INPUT will not block things that are being handled in this way - that is why the FORWARD ruleset will also need entries in it, since that is explicitly going to catch packets handled by snat/dnat. <EOL> Tib On Sat, 11 Jun 2005, Sadus . wrote: > I usually block only in the INPUT chain, doesn't it protect my internal > network? > I only have SNATed the internal network to the external IP/ > > On Sat, 2005-06-11 at 12:16 -0500, Tib wrote: > > Hi there, > > > > Thought I'd chip in since this used to be identical to how I had my system > > setup. I had a block of 5 useable from my isp. > > > > Whichever you are going to use as your actual firewall box IP (as opposed > > to the machines you want to run behind it), you set as eth0 ip config. > > > > After that you setup the other ip's as virtual interfaces on the same card > > (eth0:1, eth0:2, etc). Set your internal IP nic to be eth1 and make sure > > the routing table is set to go through it out to eth0 and the world. Have > > your other internal IP boxes use eth1 as their gateway. > > > > After that, you setup destniation nat'ing using something like this: > > > > iptables -t nat -A PREROUTING -d $REAL-IP$ \ > > -j DNAT --to-destination $INTERNAL-IP$ > > > > and > > > > iptables -t nat -A POSTROUTING -s $INTERNAL-IP$ \ > > -j SNAT --to-source $REAL-IP$ > > > > for each internal/ip pair you want to have mapped. > > > > After you've done this - you're likely going to want to protect them from > > certain types of traffic, since the basic INPUT rules won't cover it - put > > anything you DON'T want to reach those hosts under the FORWARD ruleset as > > drops. > > > > That's it - you're set. > > > > One item of note - be sure to put those snat/dnat rules into the table > > BEFORE the catchall masquerading rule (if you use one) otherwise they will > > hit the masquerade rule first and your traffic will not match in/out ip's > > and things will bork up. > > > > This is a setup I've used for a number of years, it's nice and clean and > > gives good protection through the forward ruleset. If you cover your bases > > right and practice safe net, things like zone alarm become unnecessary. > > > > I blocked the following on forward and have done very well by it: > > > > udp: > > 111 > > 135 > > 137 > > 138 > > 139 > > 445 > > 1026 > > 1433 > > > > tcp: > > 21 > > 57 > > 79 > > 80 > > 111 > > 135 > > 137 > > 138 > > 139 > > 443 > > 445 > > 1025 > > 1026 > > 1433 > > 5000 > > 31337 > > > > These will vary depending on your particular software usage and such - but > > are a good start. > > > > <EOL> > > Tib > > > > On Sat, 11 Jun 2005, Billie Joe wrote: > > > > > Hi! > > > > > > > > > I have 3 IPs on Internet, and I want to put them behind my firewall > > > machine. So I have the question: Put all 3 IPs in the same network > > > card (with alias) or a card for each IP ?? What you suggest and why ?? > > > Thanks > > > > > > > > > pS.: Consider that I have another NIC for my LAN. > > > > > > > > > BillieGDJoe > > > > > >
