I'm a Linux newbie. Thus far, I have built a RH9 machine with 2 NIC's, and built in iptables and configured the firewalls. I have the Linux box working as a firewall filtering router system for my Internet. I finally accomplished this last week. Now, I am going back and tightening down the screws on the system. I read through some of the Security References FAQ main post in this group and found the Linux Security.com Quick reference guide. There are several commands listed on this card (below) for Kernel Security. However, some of them sound pretty binding, and I do not want them to override my iptables or lock out my Windoze machines from the Internet. I also do not want to open any holes (obviously). Will any of these do that?

Commands:
#icmp_echo_ignore_all
#icmp_echo_ignore_broadcasts
#ip_masq_debug
#tcp_syncookies
#rp_filter
#secure_redirects
#accept_source_route

Configuration
eth0 (ISP connection-static IP)
XXX.XXX.XXX.185 IP
255.XXX.XXX.XXX Subnet
XXX.XXX.XXX.129 Gateway
XXX.XXX.XXX.19 DNS
XXX.XXX.XXX.21 DNS

eth1 (To Windoze machine/LAN-static manually assigned)
XXX.XXX.XXX.101 IP
255.255.255.0 Subnet
XXX.XXX.XXX.129 Gateway (from ISP)


Windoze machine (static IP)
XXX.XXX.XXX.100 IP
255.255.255.0 Subnet
XXX.XXX.XXX.101 Gateway(from eth1)
XXX.XXX.XXX.19 DNS (same as ISP)
XXX.XXX.XXX.21 DNS (same as ISP)


Below is a copy of my IPTables

# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:12 2003
*mangle
:PREROUTING ACCEPT [157731:9180541]
:INPUT ACCEPT [157703:9178680]
:FORWARD ACCEPT [25:1627]
:OUTPUT ACCEPT [159258:9276153]
:POSTROUTING ACCEPT [159229:9269724]
COMMIT
# Completed on Thu Sep 25 13:45:12 2003
# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:12 2003
*nat
:PREROUTING ACCEPT [142:11923]
:POSTROUTING ACCEPT [4113:181126]
:OUTPUT ACCEPT [4973:241108]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s XXX.XXX.XXX.128/XXX.XXX.XXX.192 -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to-source XXX.XXX.XXX.185
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 25 13:45:13 2003
# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:13 2003
*filter
:INPUT DROP [102:10085]
:FORWARD DROP [0:0]
:OUTPUT DROP [54:8056]
:LD - [0:0]
:SANITY - [0:0]
:STATE - [0:0]
:UNCLEAN - [0:0]
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
COMMIT
# Completed on Thu Sep 25 13:45:13 2003



If you need the specific commands that I used to build the IPtables, LMK. As with everyone, security is the main objective, but I don't want to kill what I've done already.

Thanks

Commands:
A description of those is in /usr/src/linux/Documentation, filesystems/proc.txt and networking/ip-sysctl.txt. Please mind the notes in proc.txt. All sysctl's could be acceptable use within your private LAN if you wish so, but should NOT apply to the interface receiving foreign traffic because of spoofing etc etc. So all except ip_masq_debug should be used.


# Generated by iptables-save v1.2.7a
I won't comment on these, I'm more at ease reading rule files, not save states, sorry. I'd recommend checking out the linuxguruz.com sites scripts tho, you're missing all default stuff from rate limits and spoof rules to "bad packet" and LOG target rules.
Adding LOG target rules on both in and out interfaces is good for many reasons, it should give you a better idea of what goes in and out. If not for accounting reasons, then for adjusting or debugging.
You're also forwarding everything which can't be good if it's a specific server you're forwarding to. Use a DMZ and restrict traffic to only what's needed.