If you're already behind a router (often dsl modem) you might be 'double natting' if you don't configure it right. I never like to mix uses but it can work though. My recommendation would be to take an older piece of hardware and install SME Server (if you want a directory server/file server for windows),or one of these firewall distributions if you dont: smoothwall, endian firewall, or ip-cop. On SME Server the windows machines need a registry patch (especially Vista+) http:///server-resources/regedit/ On Tue, Aug 7, 2012 at 9:36 PM, Lisa Kachold wrote: > Hi Derek, > > How are you? > > We didn't really cover if you are using a singular dsl device or a small > switch/dsl modem on the upstream? > > So if you have your two boxes (Ladmo and Wallace) connected via a > crossover cable or small switch to eth1 on Wallace which has eth0 connected > to your dsl, that's good. > > If you have both boxes connected to the dsl switch/modem, there might be a > problem? > > The best way to verify your settings is via nmap from outside. > > Assumptions without real tests are the basis of bad security everywhere. > > nmap each server from the other server. Run a nmap from a shell or linux > box externally. > > Also run this tool on the Windows system to verify what is really running: > > http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video > > See my comments below: > > On Mon, Aug 6, 2012 at 11:06 PM, Derek Trotter wrote: > >> Recently I got dsl and decided to have my linux box pass on traffic to my >> windows box rather than buying a firewall. I did the research online and >> figured out how to make everything work like I wanted. Is there anything >> I've done wrong? Does anyone have any suggestions to improve it? Below is >> what I put into rc.local including comments in case I forget later what >> each part does. Wallace is the linux box. Ladmo is the windows box. >> Thanks. >> >> You can tighten up your source and destination by network subnet also: > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE > > > >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED >> -j ACCEPT >> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT >> # The 3 above allow for nat and forwarding to Ladmo. This allows me to >> do stuff online from Ladmo. >> >> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to >> 192.168.0.2:40998 >> # Allows bittorrent clients on the net to contact mine. >> >> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED >> -j ACCEPT >> # Allows me to surf the web from Wallace. >> >> iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED >> -j ACCEPT >> > iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED >> -j ACCEPT >> #allows dns to work on Wallace. >> >> #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all > sorts of nepharious things via DNS (trusted port) attack: > # > http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html > #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm > #http://www.exploit-db.com/exploits/16748/ > #At the very least open instead source and destination udp only to your > DNS servers and use random ports: > > > iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT > > > #Add logging: You need both rules > iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop ' > >> iptables -A INPUT -i eth0 -j DROP >> #Drops unwanted incoming packets. >> --------------------------------------------------- >> > > Adding a list of RFC 1419 private ip addresses might be nice but if you > tighten up your nat masquerade rule, they won't be necessary. > > Also, if you can access the web via port 443, I would be worried that you > are getting packets from a switch on the other port eth1 outbound/inbound? > > Test it... > > -- > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > Safeway.com > Automation Engineer > > > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >