RE: Linux hardware firewall question

From: Lee Leahu (lee@ricis.com)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 11:40:30 -0600
To: security-basics@securityfocus.com
From: Lee Leahu <lee@ricis.com>

Hi.

I have at home a small network of 4 computers hooked up to an 8 port netgear 10/100 switch,
which then feeds into my Linux router / firewall which feeds into my 3com cable modem which
feeds into at&t's cable modem network.

My linux firewall/router is basically a Pentium 233 MMX with 64 Megs of ram and 8Gb hard drive.

I wrote a script called 'firewall' and chmod +x 'd it.

<snip>
# allow packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# flush tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT

# allow packes from my work
iptables -A INPUT -i eth0 -s 64.244.234.0/23 -j ACCEPT

# log and drop everything else connecting TO my firewalll
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j LOG --log-prefix " input-drop "
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP

# allow certan packets through to interanll computers
iptables -A FORWARD -i eth0 -p tcp --dport 4000 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --sport 5190 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 1214 -j ACCEPT

# log and drop everything else
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j LOG --log-prefix " forward-drop "
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

# setup masquerading for outgoing traffic
iptables -t nat -A POSTROUTING -j MASQUERADE
</snip>

This setup has basically worked fine so far. If anyone has any suggestions on my setup,
I am open to suggestions.

At 02:53 2002-02-26, you wrote:
>I operate a small network of about 5 computers and am considering setting up
>a pc to operate as a firewall/router for the network. The network does no
>recieve much traffic at all and trying to figure out hardware wise what I need
>the topology I have decided to go with is that each box on the network will have
>its own nic on the pc. Additionally, if anyone can suggest documentation on how
>to set this up software wise I would appreciate it.
>
>I have some experience with iptables, but an unsure exactly how I would set this
>up? Again any help would be appreciated.
>
>Thank you.
>
>J. Ferguson

Lee
lee@ricis.com

Relevant Pages

  • Re: Questions on some wierd /var/log entries
    ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    (comp.os.linux.misc)
  • Re: Cable Modem, DHCP and IP Tables
    ... >> Any pointers on setting up RH 7.3 as a firewall between my ... > As far as the iptables coding, I have the iptables kick off ... Not that their is anything wrong with useing RH as the a router between your ... internal and the external network. ...
    (comp.os.linux.security)
  • RE: Linux hardware firewall question
    ... When I was writing my script I decided to look at lots of examples. ... everything IPTables offers. ... > which then feeds into my Linux router / firewall which feeds into my ... > feeds into at&t's cable modem network. ...
    (Security-Basics)
  • Re: PLEASE HELP - trying to forward web traffic through firewall w/IPTABLES
    ... I've tried reading the IPTABLES man page and scoured Google, ... > and iptables on the firewall. ... > an external Internet ethernet interface. ... I'm using Network Address ...
    (comp.os.linux.networking)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)