Hi all, I want to set up a firewall to secure my private network. This network includes about 5-6 computers running linux and windows os. I decided to use netfilter (iptables) with the new 2.4.2 kernel which I compiled on my pentium today. Now I have a question about the new iptables and the connection tracking module: I want to set a default policy for all chains (at first INPUT,OUTPUT and FORWARD) to DENY. Now for example I want to allow a ssh connection from the internet to my firewall. (I want the firewall to be the gate to my local linux computers. I mean, if anyone wants to ssh to my private computers, he only can get a connection if he first connects to the firewall, and then connect to the target computer in my network.) Is this a good idea ? So I don't have to allow ssh to any of my computers in the local net. Only to the firewall! What do you think about this? Now the problem: If I use connection tracking for ssh. iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT In this rule I would accept all connections coming from internet to my firewall at port 22 and all packets in relation with this connect. Right?! Should I now add a rule to the OUTPUT chain too, or is any outgoing connection in relation with the ssh rule INPUT above accepted now? thanks for your help, Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
Marco Ahrendt
Hi all,
I want to set up a firewall to secure my private network. This network includes about 5-6 computers running linux and windows os. I decided to use netfilter (iptables) with the new 2.4.2 kernel which I compiled on my pentium today. Now I have a question about the new iptables and the connection tracking module: I want to set a default policy for all chains (at first INPUT,OUTPUT and FORWARD) to DENY. Now for example I want to allow a ssh connection from the internet to my firewall. (I want the firewall to be the gate to my local linux computers. I mean, if anyone wants to ssh to my private computers, he only can get a connection if he first connects to the firewall, and then connect to the target computer in my network.) Is this a good idea ?
I do not think so. On your firewall only those services should run that are required for the firewall. If you really need to allow ssh to your internal network from an untrusted net, try portforwarding to _one_ machine in your internal network, but _not_ to the firewall. Then your users can login to that machine, but I would not give them a normal shell on that computer, only ssh to other machines...
So I don't have to allow ssh to any of my computers in the local net. Only to the firewall! What do you think about this? Now the problem: If I use connection tracking for ssh.
iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT
In this rule I would accept all connections coming from internet to my firewall at port 22 and all packets in relation with this connect. Right?! Should I now add a rule to the OUTPUT chain too, or is any outgoing connection in relation with the ssh rule INPUT above accepted now?
No. You need an additional rule for OUTPUT. But, as said above, I do not think that this would be a good idea. If you want to secure your private network, do not allow ssh from outside. HTH Martin -- martin.peikert@innominate.com innominate AG the linux architects tel: +49-30-308806-0 fax: -77 http://www.innominate.com
participants (2)
-
Marco Ahrendt
-
Martin Peikert