Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-05-2007, 10:36 AM
|
#1
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Rep:
|
iptables fowarding
Hi everyone I'm a bit confused I been reading about iptables and ip fowarding. What I'm confused about is. If I turn on ip fowarding will my computer act like a router? If I turn off ip fowarding will it not act like a router?
|
|
|
08-05-2007, 11:00 AM
|
#2
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
Enabling ip forwarding will allow data on the internal set nic to send its data to the wan outside nic if that is its required destiantion. But will not allow outsdie connections to internal machines on the other nic unless other rules are added. So in essence you get the very basics of a store bought router but add needed rules to block all ports on the wan nic unless they are needed open.
Brian
|
|
|
08-05-2007, 11:00 AM
|
#3
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
yes, ip forwarding *is* routing, i.e. forwarding a packet when it is not intended for ip addresses held locally to that machine. there is more to it than just that when done correctly, but that does essentially make it a router.
|
|
|
08-05-2007, 11:18 AM
|
#4
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Original Poster
Rep:
|
Thank's guy's for your quick reply. This is the other thing that I'm confused about. Let me explane in the town I live in we have free wireless bubbles and being poor as me this is a good thing anyway I have to block some people mac addresses from my computer.
Now will their computer still be able to browse the Internet on the router even though I block them off of my computer? To my knolage they should but I need better input this is why I did not want my computer to act like a router.
|
|
|
08-05-2007, 12:00 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by ComputerHermit_
Thank's guy's for your quick reply. This is the other thing that I'm confused about. Let me explane in the town I live in we have free wireless bubbles and being poor as me this is a good thing anyway I have to block some people mac addresses from my computer.
|
Is your computer the router too? And also, why are these people not blocked from your computer in the first place? Are you running services on it?
Quote:
Now will their computer still be able to browse the Internet on the router even though I block them off of my computer? To my knolage they should but I need better input this is why I did not want my computer to act like a router.
|
If your computer is the router, then blocking connections from the clients to the router will not affect the connections they can make through the router. It's two separate issues (INPUT vs. FORWARD chains).
|
|
|
08-05-2007, 12:51 PM
|
#6
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Original Poster
Rep:
|
win32sux thanks
my computer is not the router I know this after asking here my computer has no
services on it but some of the other people computer's have the ms browser service running. Them computers I block thanks again.
|
|
|
08-06-2007, 01:20 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by ComputerHermit_
win32sux thanks
my computer is not the router I know this after asking here my computer has no
services on it but some of the other people computer's have the ms browser service running. Them computers I block thanks again.
|
In that case just block all incoming connections to your computer - not just from some MACs. MACs can be easily spoofed, making your rules completely ineffective. Besides, blocking all non-necessary incoming connections is a good idea either way. Here's the basic commands for this (assuming you have not changed the default iptables settings yet):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
You should probably do some reading-up on iptables and stuff, depending on how much sense the above commands make to you. A good place to start is Wikipedia. There's some good links at the bottom of the page.
|
|
|
08-06-2007, 12:32 PM
|
#8
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Original Poster
Rep:
|
win32sux
Thanks I have been reading up on iptables I understanding it a bit better then I did thanks alot I was trying to look for info. On useing iptables to stop or filter arp request. From computers on the wrieless network and comeing in to this computer. Any idea's?
|
|
|
All times are GMT -5. The time now is 04:26 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|