Blue|Fusion
Rated XXX
|
 Posted: Mon, 14 May 2007 11:02:31 Post Subject: |
 |
|
Thanks for the replies. Prior to using the PC-as-router, the Linksys router allowed me to view Apache via the WAN IP, and I'm trying to emulate that. For now I do have it set in the hosts file, but hopefully only temporarily.
Here are the current iptables rules I have in place. I got these rules from the Gentoo documentation link I posted above.
| Code: | #First we flush our current rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i eth0 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i eth1 -j REJECT
iptables -A INPUT -p UDP --dport domain -i eth1 -j REJECT
#(Optional) Allow access to our ssh server from the WAN
#iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i eth1 -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i eth1 -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i eth0 -d 10.1.1.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 10.1.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -d 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#HTTP forwarding to an internal host
iptables -t nat -A PREROUTING -p tcp --dport http -i eth1 -j DNAT --to 10.1.1.20 |
Like I said, these do their job for NAT and firewalling the LAN, but want to ensure the router box itself is secure on the eth1 interface.
_________________
5 home-built PCs, ASUS A6Jc Laptop, and a PowerEdge 2650 - all running Gentoo. Now if only I can get a car and plane to run it. Take a look at my Gallery! |
|
