Securing eth1 with IPTABLES
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Mon Mar 22 22:02:59 UTC 2004
Can you provide the output from 'iptables-save'? It is easier to read
and follow.
Otherwise, I would set FORWARD to default deny and then something along
the lines of:
iptables -t filter -A FORWARD -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
RELATED -p tcp --dport 1025:65526 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
RELATED -p udp --dport 1025:65526 -j ACCEPT
That should block everything from the Internet trying to connect to you.
In the end though use nmap from another machine to verify.
Madison
David Kreuter wrote:
> I am using a RH9 linux machine as a router at home. ETH0 is my private
> 192.168.1.0/24 network.
> ETH0 connects to Rogers on the 24.x.x.x network.
> The following setup is working as a router (I can go from any point on
> the 192.168.1.0/24 network
> to the internet). I think however that my iptable is not securing my
> linux machine. At this point I am
> not running any servers on the linux machine that I care to have
> internet enabled. I have included
> responses from iptables -t nat -L -vn and iptables -L -vn.
> What iptables command(s) do I need to secure my linux box and continue
> allow internet access?
> Thanks,
> David
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list