melinda_sayang |
12-21-2004 01:28 AM |
is this firewall rule safe?
Hi,
I use Gentoo and share internet connection to laptop from this guide. So I have this script:
Code:
First we flush our current rules
# iptables -F
# iptables -t nat -F
Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT
(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT
Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
Finally we add the rules for NAT
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is my output of "iptables -L":
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 192.168.1.0/24
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere 192.168.1.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Now I can happily share the internet connection to laptop. The question is.... before I share the internet connection to laptop, I use firestarter or guarddog to generate firewall rule. But I am afraid if I do that now, I cann't share the internet connection anymore. So I just stick with this script. Is this a safe firewall for desktop??? It looks safe as I can read the comment: Then we lock our services so they only work from the LAN But I just ask the confirmation.
|