firewall

Derek Trotter expat.arizonan at gmail.com
Tue Aug 7 19:07:47 MST 2012 

On 8/7/2012 10:08, Matt Graham wrote:
> From: Derek Trotter <expat.arizonan at gmail.com>
>> Recently I got dsl and decided to have my linux box pass on traffic to
>> my windows box rather than buying a firewall.
> [snip]
>> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
>> 192.168.0.2:40998
>> # packets on port 40998 forwarded to internal windows machine
> That's what the above iptables rule is actually doing.  No real problems, just
> that you'll have to use a different port if you're using bittorrent on the
> Linux box.
>
>> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
>> -j ACCEPT
>> # Allows me to surf the web from windows box
> [snip similar rules for port 53 tcp/udp]
>
> You'll probably want a similar rule for port 443, unless you never use HTTPS
> from the windows box.
That's a good idea to do this for port 443.  However the rules for port 
80 were only needed for the linux box.  After I put in the drop rule for 
eth0 at the end, I could no longer use a browser from the linux box.  
Also apt-get didn't work.  Both worked after I put in the rules for port 
80 and the rules for port 53.  I never had any trouble surfing the web 
from the windows box either before the drop rule was added or before the 
rules for port 80 and port 53 were added.

Now that I think about it, it seems to me the rules for nat would not 
allow incoming connections from any malware unless some malware was 
already on the windows box.  It would have to initiate the connection.  
It seems to me it might be a good idea to block everything coming from 
the windows box unless it's something I want such as http, ftp, ssh, 
email, bittorrent, etc.  Would it work if I put a drop rule at the end 
like the one below, but for eth1 then open the ports I need like I did 
for ports 80 and 53 on eth0?  Or is that overkill?  I have avast on the 
windows box and kept the default settings for it updating itself which 
it does at least once a day.

Thanks

Derek
>
>> iptables -A INPUT -i eth0 -j DROP
> Putting a default DROP like that at the end of INPUT is OK, you just have to
> make sure you allow all the things you'll need to access from outside.  Like
> ssh, or a VPN, or other stuff like apache/postfix.  It's annoying to iptables
> yourself out of your home box from outside.  There are other things that often
> get done to INPUT, like blocking incoming from 10.0.0.0, 192.168.0.0,
> 127.0.0.0, and multicast, but having a default DROP sort of covers all of
> those....
>

More information about the PLUG-discuss mailing list