[ale] IPtables question

Stephan Uphoff ups at tree.com
Sun Jul 11 14:04:34 EDT 2004 

Forwarded traffic no longer passes the INPUT/OUTPUT rules.
iptables -A FORWARD -i eth2 -o eth1 -j DENY
( and "iptables -A INPUT -i eth2 -j DENY" to block access to the firewall)

However I think Chris wants to just block traffic originating
from the box. The rule above blocks all traffic and would prevent
hin to connect to the box from the private network.

This takes a little more effort building from scratch and I don't have
a stateful iptable script around.
( My external firewall is FreeBSD and my internal linux firewalls
for wireless just pass ESP and key-exchange packets)

Chris - You might want to hire one of the security consultants on the list
for an hour to write a script. It is really easy to make a small
stupid mistake with iptables.

	Stephan

> Just thinking out loud, and I'm sure the syntax is wrong, but what about
> rules like these?  Obviously, these are WAY to wide open.  You may want to
> allow only the port the application uses through the firewall.  But, for
> the purpose of discussion, here's a quick ruleset.
> 
> public  - eth0
> private - eth1
> dmz     - eth2
> 
> iptables -A OUTPUT -s -i eth2 -d -i eth1 -j DENY
> iptables -A OUTPUT -s -i eth2 -d -i eth0 -j ACCEPT
> iptables -A OUTPUT -s -i eth0 -d -i eth2 -j ACCEPT
> 
> Just my $0.02.
> 
> Jonathan Glass
> 
> > I just added a 3rd nic to my linux firewall.  On that nic I hav it
> > directly connected via cross-over to a server that is running an
> > application.  I did this because my customers will be using that
> > application from the Internet.  If for some reason someone was to gain
> > access to that box I do not want them to be able to come back to the
> > firewall and jump over to the 2nd nic to my company network.
> >
> > What would be a good rule that would allow all incoming traffic from
> > the outside and 2nd nic to that box but would disallow any traffic
> > originating from that machine?
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> 
> 
> -- 
> Jonathan Glass
> Systems Support Specialist II
> IBB/GTEC
> Office: 404-385-0127
> Cell: 404-444-4086
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

More information about the Ale mailing list