firewall

JD Austin jd at twingeckos.com
Tue Aug 7 22:43:18 MST 2012 

If you're already behind a router (often dsl modem) you might be 'double
natting' if you don't configure it right.
I never like to mix uses but it can work though.  My recommendation would
be to take an older piece of hardware and install SME Server (if you want a
directory server/file server  for windows),or one of these firewall
distributions if you dont: smoothwall, endian firewall, or ip-cop.
On SME Server the windows machines need a registry patch (especially
Vista+) http://<localgateway IP>/server-resources/regedit/


On Tue, Aug 7, 2012 at 9:36 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Hi Derek,
>
> How are you?
>
> We didn't really cover if you are using a singular dsl device or a small
> switch/dsl modem on the upstream?
>
> So if you have your two boxes (Ladmo and Wallace) connected via a
> crossover cable or small switch to eth1 on Wallace which has eth0 connected
> to your dsl, that's good.
>
> If you have both boxes connected to the dsl switch/modem, there might be a
> problem?
>
> The best way to verify your settings is via nmap from outside.
>
> Assumptions without real tests are the basis of bad security everywhere.
>
> nmap each server from the other server.  Run a nmap from a shell or linux
> box externally.
>
> Also run this tool on the Windows system to verify what is really running:
>
> http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video
>
> See my comments below:
>
> On Mon, Aug 6, 2012 at 11:06 PM, Derek Trotter <expat.arizonan at gmail.com>wrote:
>
>> Recently I got dsl and decided to have my linux box pass on traffic to my
>> windows box rather than buying a firewall.  I did the research online and
>> figured out how to make everything work like I wanted. Is there anything
>> I've done wrong?  Does anyone have any suggestions to improve it?  Below is
>> what I put into rc.local including comments in case I forget later what
>> each part does.  Wallace is the linux box.  Ladmo is the windows box.
>>  Thanks.
>>
>> You can tighten up your source and destination by network subnet also:
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE
>
>
>
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
>> -j ACCEPT
>> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>> # The 3 above allow for nat and forwarding to Ladmo.  This allows me to
>> do stuff online from Ladmo.
>>
>> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
>> 192.168.0.2:40998
>> # Allows bittorrent clients on the net to contact mine.
>>
>> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
>> -j ACCEPT
>> # Allows me to surf the web from Wallace.
>>
>> iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED
>> -j ACCEPT
>>
> iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED
>> -j ACCEPT
>> #allows dns to work on Wallace.
>>
>> #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all
> sorts of nepharious things via DNS (trusted port) attack:
> #
> http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
> #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
> #http://www.exploit-db.com/exploits/16748/
> #At the very least open instead source and destination udp only to your
> DNS servers and use random ports:
>
>
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT
>
>
> #Add logging:  You need both rules
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
>
>> iptables -A INPUT -i eth0 -j DROP
>> #Drops unwanted incoming packets.
>> ---------------------------------------------------
>>
>
> Adding a list of RFC 1419 private ip addresses might be nice but if you
> tighten up your nat masquerade rule, they won't be necessary.
>
> Also, if you can access the web via port 443, I would be worried that you
> are getting packets from a switch on the other port eth1 outbound/inbound?
>
> Test it...
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> <http://it-clowns.com>Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120807/2cdf5f7e/attachment.html>

More information about the PLUG-discuss mailing list