[TriLUG] iptables- does this work?

Aaron S. Joyner aaron at joyner.ws
Sat Apr 10 21:21:54 EDT 2004 

Just one thing, you might want to use REJECT as opposed to DROP.  Reason 
being that it will cause network services that do try to access 
something they shouldn't to fail in a timely manner.  It's relatively 
unlikely that someone on one of those networks is going to be doing 
anything absurd with trying to get you to DoS someone else (by spoofing 
src addresses, etc), which is the usual reason for choosing DROP over 
REJECT in my mind.

Another thought, if you're attempting to allow wireless clients internet 
access, do you intend to allow them access to the linux box directly?  
If not, you might want to express that in your rules in some fashion 
(ala iptables -A INPUT -i eth2 -d 192.168.3.1 -j REJECT).  If you do, 
you still might want to close it down a bit more, and only allow ports 
you expect traffic to be coming in on (ssh, web, etc).  Note, if you're 
going to be using Samba from the wireless lan, ignore that - it requires 
you open everything above 1024, so it's hardly worth bothering.  :)  You 
could still firewall off "historically more vulnerable" services, but 
you're better off doing a touch more legwork and getting them not to 
bind to that interface to start with.

Hope that helps!
Aaron S. Joyner

Michael Hrivnak wrote:

>I'm just looking for some feedback on my rules with iptables.  The machine 
>will be running nat in my home.  eth0 is a cable modem, eth1 is a wired lan 
>with ip range 192.168.1. and eth2 is a wireless access point serving ip range 
>192.168.3.  One goal is to keep wireless clients from accessing wired 
>clients.
>
>Do you see any potential problems?  Is there a better way to do this?
>
>iptables -P INPUT ACCEPT
>iptables -F INPUT
>iptables -P OUTPUT ACCEPT
>iptables -F OUTPUT
>iptables -P FORWARD DROP
>iptables -F FORWARD
>iptables -A FORWARD -i eth2 -o eth1 -j DROP
>iptables -A FORWARD -i eth1 -o eth2 -j DROP
>iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
>iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
>iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT
>iptables -A FORWARD -d 192.168.3.0/24 -j ACCEPT
>iptables -t nat -F
>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
>Thanks a lot,
>Michael Hrivnak
>  
>

More information about the TriLUG mailing list