[gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

[Mick <michaelkintzios@lycos.co.uk>]

Thanks Nebinger!

Dave Nebinger wrote:

> Okay, Mike, here goes...
> 
> For the gentoo box to act as the router/gateway/hub, you need more than
> one ethernet card in the box.

OK, but under the ADSL connection scenario (diagram A) I already have a
hardware router/gateway, so do I still need a two card configuration?  What
I am trying to do is protect the Gentoo box from other boxes in the LAN
(behind the Netgear router), or when connected to the Internet via dialup
then protect it from other internet machines.

> As for the firewall questions, your rules are going to fall into a couple
> of different flavors:
> 
> a) desktop only: For this setup you're basically going to block all
> incoming
> traffic, allow all outbound traffic and existing traffic.  Forwarding is
> not an issue.

Right, is that tight enough?  I mean, shouldn't I accept only specific
outgoing protocols/ports and then be blocking everything else which might
try to get out?  I'm thinking here in trojan terms and the way certain
M$Windoze 'personal firewalls' are usually set up.

> b) server: For this setup it's pretty much like the desktop except you'll
> allow incoming traffic on the ports that you wish to serve, i.e. mail,
> pop3,
> etc.  Again forwarding is not needed in this scenario.

Understood.

> c) gateway: For the pure gateway system, this one is a little trickyer. 
> All outbound and established traffic should be allowed, and incoming
> traffic is
> only allowed for the services you're going to provide.  The tricky part is
> that now your rules need to operate on the FORWARD chain and manage the
> snat/dnat/masquerade stuff.

Not sure I need one of those, except as you describe below.

> d) combination: The combo system wraps service providing and gateway (and
> possibly desktop) into one box.  This setup is similar to the server
> scenario, except it also must include the gateway type rules to ensure
> that internal entities can get to the outside & back.

I guess that I'll need some sort of a combo set up if I am to use the Gentoo
box as a server to be accessed both by machines in the WAN and by PC/laptop
in my LAN.  On the other hand, I am thinking that all this
masquarading/IPforwarding and NATing could be achieved by my Netgear? 
 
> As in the other iptables threads going on now, I would suggest a tool like
> shorewall.  I haven't heard anything bad about fwbuilder, but I can affirm
> that the documentation provided with shorewall is top-notch and pretty
> easy
> to get your brain around.  I can even help define the config for shorewall
> if you need it.
> 
> Hope this helps!

Yes it does, thanks again.  :-)
-- 
Regards,
Mick

-- 
gentoo-user@gentoo.org mailing list