my firewall/router is up and functional, but i was wondering what i could do to tighten my iptables. the reason i ask is that i use mostly state matching rules for my base chains, which seems to be something of a unilateral approach to firewalling security. i have a wireless hookup (wlan0) to the router from a remote computer which is correctly forwarded. i haven't set any iptables up on the remote computer yet, so there's no issues there. below are my INPUT, FORWARD, and OUTPUT rules (tcp, udp and icmp rules are excluded for now):

##################
# rules for INPUT
##################

$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT

# allow ssh from horatio
#$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -j ACCEPT

# let w-lan traffic in from horatio
#$IPTABLES -A INPUT -p ALL -i wlan0 -m mac --mac-source 00:09:7b:89:53:8c -j ACCEPT

(this is not my real MAC, duh!)

#$IPTABLES -A INPUT -i lo -m mac --mac-souce 00:09:7b:89:53:8c -j ACCEPT

# should make overnet work, but...
#$IPTABLES -A INPUT -p TCP -i ppp0 --dport 8855 -j ACCEPT
#$IPTABLES -A INPUT -p UDP -i ppp0 --dport 9001 -j ACCEPT

$IPTABLES -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allows DHCPACK for setup of w-lan
$IPTABLES -A INPUT -p UDP -i wlan0 --dport 67 --sport 68 -j ACCEPT

$IPTABLES -A INPUT -i ppp0 -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

####################
# rules for FORWARD
####################

# allows w-lan valid outgoing through, but stops new/invalid connections through wlan0
$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

###################
# rules for OUTPUT
###################

$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o ppp0 -m state ! --state INVALID -j ACCEPT

# allows outgoing w-lan traffic
#$IPTABLES -A OUTPUT -p ALL -o wlan0 -m state ! --state INVALID -j ACCEPT

# allows DHCPOFFER for setup of w-lan
$IPTABLES -A OUTPUT -p UDP -o wlan0 --dport 68 --sport 67 -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

########################
# rules for POSTROUTING
########################

# to get source NAT
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

the main thing i'd like to have, in addition to better overall security, is the ability to ssh between the router and the remote computer (see the commented out rule(s) regarding dport 22), but i can't seem to set this up correctly (i've moved these rules around in the chains to try to get things to work, to no avail). i'd expect a rule such as

$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -m mac --mac-source <my remote mac> -j ACCEPT

to allow my remote computer to ssh into my router, but it doesn't seem to work. any suggestions?

thx for reading,
y-p

a nice firewall, really
Have you tried to "listen" to ssh connection with tcpdump (or whatever the programm you wish to use)? Maybe there's something wrong with that (sometime the MAC adress isn't corectly sended in packet, as example if you use a router, take a look with tcpdump.)

Your rule should work.

using tcpdump is completely new to me, but i'll give it a try (i have a bunch of time over the next few days). other than that, i'll keep fiddling w/ what i've already got. thx for the suggestion. keep rockin the quebecois (provided you're a native).

y-p

My guess would be that you don't have a RELATED,ESTABLISHED rule for the wlan interface on the INPUT chain. You DO have one for your ppp0 interface, but that won't catch the wireless traffic. So you should do something like:

$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Did it work when you tried this rule?:
#$IPTABLES -A INPUT -p ALL -i wlan0 -m mac --mac-source 00:09:7b:89:53:8c -j ACCEPT

If that MAC is right, it should allow any traffic from your wireless interface. If it didn't work, then your problem is more likely a daemon misconfiguration or something else.