Re: RedHat 7.2 firewall/router vulnerabilities

From: Martin Cooper (usenet_at_martinc.me.uk)
Date: 08/31/03 

Date: Sun, 31 Aug 2003 11:38:00 +0100

Hi,

"Marty Ross" <noodnik2@hotmail.com> wrote:

> Can anyone tell me what the following lines do in RedHat Linux 7.2 (kernel
> 2.4.7-10)?
>
> modprobe iptable_nat

The above module is required for the following masquerade rule to work. It
loads new functionality into the kernel that will provide the NAT facility.

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The above line provides NAT for a network. In this instance, the internet
is reached by eth0, and all traffic is NAT's to the IP of that interface.
This simply allows you to put in another ethernet card, connect it to your
network, and then use it as the internet gateway for your other machines.
Note that any internal machines should use non-routable addresses such as
192.168.0.1 etc.

> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

The above rules drop any invalid traffic, ie, packets that are not part of
an existing connection. It also drops any incoming connection packets. It
is simply a basic firewall that will allow local machines to connect to the
net, but will not allow the net to connect to the firewall or any local
machnes.

> echo 1 > /proc/sys/net/ipv4/ip_forward
>

The above line allows linux to act as a router. Without it, no-one would be
able to use it as a gateway to connect to the net.

> What vulnerabilities exist with this as the configuration for a
> firewall/router?
>

It's not to stop a specific vulnerability, it is just a very basic firewall
to prevent people on the internet connecting directly to your network. 

-- 
   Martin

Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
    ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
    (comp.dcom.sys.cisco)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... Hosts on the LAN successfully acquire IP addresses from the NAT SERVER ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)