How secure is this IPTABLES setup?
 

I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough...
i really want to make my config as secure as possible, so any suggestions/comments are greatly appreciated

notes:

• the script is run on my gateway machine
• eth0 is my local (hopefully secure) network
• wlan0 is my connection to the internet

That's pretty secure and unusually clear for a first time firewall.

You are offering a few services... be aware of the vulnerabilities of these services. This is where you will be attacked.

Note, you can use samba tools to further secure... samba.
http://troy.jdmz.net/samba/fw/

Here's a few things I would recommend to tighten it a bit:


Make these more specific, with interface names and packet states. Like:
Eliminate this rule.

You are much better-off letting the packets hit the DROP policy.


Add a line like this to the start of the script, but have it echo a zero instead of a one. This way, you know that any time the script is run, forwarding will be disabled until everything is set-up.


Sending OUTPUT packets to DROP without sending them to LOG first is a habit that should be avoided as much as possible. Generally speaking, it's important to know exactly when unusual packets are being generated by your box. It can sometimes mean the difference between (for example) knowing your Apache's been owned, and being clueless about it.

Thanks for your help guys.

I have made the suggested changes, and fixed a couple of things i got wrong (mixed up eth0 and wlan0 in my netbios blocks)

here is the latest version :) :

Looks good. Although, you're still forwarding port 80 and 443 packets regardless of the interface they hit or what state they have. I haven't run a test, but I would suspect this opens you up to certain types of mischief at the very least. Better safe than sorry, no?

whoops forgot those ones, updated: