Securing eth1 with IPTABLES

David Kreuter dkreuter-q4+D78v0SMv8u52rGdhAxQ at public.gmane.org
Tue Mar 23 00:53:10 UTC 2004 

Madison et al thank you for your help. Here is the output as requested from
iptables-save:

# Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
*filter
:INPUT ACCEPT [448733:27854874]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [447020:26108052]
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
-A FORWARD -p tcp -j LOG --log-level 6
-A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
COMMIT
# Completed on Mon Mar 22 19:46:40 2004
# Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
*nat
:PREROUTING ACCEPT [105414:5087474]
:POSTROUTING ACCEPT [6102:366228]
:OUTPUT ACCEPT [6288:377744]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Mar 22 19:46:40 2004

Madison Kelly wrote:

> Can you provide the output from 'iptables-save'? It is easier to read 
> and follow.
>
> Otherwise, I would set FORWARD to default deny and then something 
> along the lines of:
>
> iptables -t filter -A FORWARD -m state --state INVALID -j DROP
> iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
> ESTABLISHED -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
> RELATED -p tcp --dport 1025:65526 -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state \
> RELATED -p udp --dport 1025:65526 -j ACCEPT
>
> That should block everything from the Internet trying to connect to 
> you. In the end though use nmap from another machine to verify.
>
> Madison
>
>
> David Kreuter wrote:
>
>> I am using a RH9 linux machine as a router at home. ETH0 is my 
>> private 192.168.1.0/24 network.
>> ETH0 connects to Rogers on the 24.x.x.x network.
>> The following setup is working as a router (I can go from any point 
>> on the 192.168.1.0/24 network
>> to the internet). I think however that my iptable is not securing my 
>> linux machine. At this point I am
>> not running any servers on the linux machine that I care to have 
>> internet enabled. I have included
>> responses from iptables -t nat -L -vn and iptables -L -vn.
>> What iptables command(s) do I need to secure my linux box and 
>> continue allow internet access?
>> Thanks,
>> David
>
>
>
> -- 
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list