[ale] IPtables question
Dow Hurst
Dow.Hurst at mindspring.com
Sun Jul 11 22:07:01 EDT 2004
Chris Fowler wrote:
>I just added a 3rd nic to my linux firewall. On that nic I hav it
>directly connected via cross-over to a server that is running an
>application. I did this because my customers will be using that
>application from the Internet. If for some reason someone was to gain
>access to that box I do not want them to be able to come back to the
>firewall and jump over to the 2nd nic to my company network.
>
>What would be a good rule that would allow all incoming traffic from
>the outside and 2nd nic to that box but would disallow any traffic
>originating from that machine?
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
>
To solve this effectively, you can try using Bob's iptables rules in his
book (2nd ed.) and adapt a second set of variables for the 3rd
interface. Diagram what you want to go where in map and work your way
thru his ruleset to make sure nothing violates the allowed pathways. I
didn't have a 3rd interface so could just test out the ruleset as is. I
only had to tweak one rule to allow incoming SSH connections to any IP
in the internal LAN and add one rule to allow access from what I called
the DMZ to a license server on the internal LAN. His egress and
loopback rules really make sense once you've worked thru them. It is
also a tested set of rules that you won't have to build yourself.
Dow
More information about the Ale
mailing list