I'm on a DSL with several computers on a LAN going through a ip_masq-ing Linux box for web & etc. The Linux system is also our LAN's file, print, and web server. The web server is accessable to the rest of the internet, and I want to be able to ssh from work too, but I don't want anything else accessable from the internet side. What I'm thinking of doing is creating my own ipchains/firewall rules along these lines: EXTERNALIF="eth0" # connected to DSL modem EXTERNALIP=ip.my.isp.gave.me INTERNALIF="eth1" # connected to LAN hub INTERNALIP="192.168.42.68" INTERNALNET="192.168.42/24" /sbin/ipchains -P input ACCEPT /sbin/ipchains -A input -i $EXTERNALIF -s $INTERNALNET -j DENY -l /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $EXTERNALIF -s $INTERNALNET -j MASQ /sbin/ipchains -N internal /sbin/ipchains -N external /sbin/ipchains -A input -d $EXTERNALIP -i $EXTERNALIF -j external /sbin/ipchains -A input -d $INTERNALIP -i $INTERNALIF -j internal ## stuff I want to allow access to from the internet goes here # incoming web requests /sbin/ipchains -I external -p tcp -d 0/0 80 -j RETURN # returns from local requests /sbin/ipchains -I external -p tcp -s 0/0 80 -j RETURN # incoming ssh connections /sbin/ipchains -I external -p tcp -d 0/0 22 -j RETURN # allow returns from our DNS requests /sbin/ipchains -I external -p udp -s 0/0 53 -j RETURN /sbin/ipchains -I external -p tcp -s 0/0 53 -j RETURN # mail ... # icmp stuff for returns from outgoing pings & traceroute ... # other etc etc # ... /sbin/ipchains -A external -j DENY ## stuff I want to deny access to from the the LAN goes here ## with a "-j REJECT" # (none) /sbin/ipchains -A internal -j RETURN I started trying to do everything in the "input" chain but that quickly got out of hand due to the different policies on the "internal" and "external" interfaces. This way is conceptually easier, but I'm still concerned about things like performance (on a 233MHz K6), since by the time I'm done I'll probably have a couple dozen rules in the external chain. So, apart from the fact that I'm using my server as a firewall, anyone see any problems with this scheme? Is this a stupid idea or am I actually making some kind of sense? Note I haven't actually implemented any of this yet since I'm remotely logged in at the moment. ;) -John -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (1)
-
jmgrant@primenet.com