firewall
Matt Graham
danceswithcrows at usa.net
Tue Aug 7 10:08:31 MST 2012
From: Derek Trotter <expat.arizonan at gmail.com>
> Recently I got dsl and decided to have my linux box pass on traffic to
> my windows box rather than buying a firewall.
[snip]
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
> 192.168.0.2:40998
> # packets on port 40998 forwarded to internal windows machine
That's what the above iptables rule is actually doing. No real problems, just
that you'll have to use a different port if you're using bittorrent on the
Linux box.
> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
> -j ACCEPT
> # Allows me to surf the web from windows box
[snip similar rules for port 53 tcp/udp]
You'll probably want a similar rule for port 443, unless you never use HTTPS
from the windows box.
> iptables -A INPUT -i eth0 -j DROP
Putting a default DROP like that at the end of INPUT is OK, you just have to
make sure you allow all the things you'll need to access from outside. Like
ssh, or a VPN, or other stuff like apache/postfix. It's annoying to iptables
yourself out of your home box from outside. There are other things that often
get done to INPUT, like blocking incoming from 10.0.0.0, 192.168.0.0,
127.0.0.0, and multicast, but having a default DROP sort of covers all of
those....
--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
More information about the PLUG-discuss
mailing list