[aklug] Re: Network Issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Zuelow wrote:
>
>> -----Original Message-----
>> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]
>> On Behalf Of Christopher Howard
>> Sent: Wednesday, 17 February, 2010 23:16
>> To: Alaska Linux Users Group
>> Subject: [aklug] Re: Network Issue
>>
>>
>> Yippee, figured it out by myself! Oh yeah, oh yeah!
>>
>> I just ran iptables -S, which apparently shows a chain of rules. I saw
>> that there was a "-A FORWARD -d 172.16.0.0/24 -i eth2 -j ACCEPT" which
>> (I'm guessing) allows traffic to get from my WAN to my first
>> LAN subnet,
>> but there was no such rule for my other subnet (172.16.1.0),
>> so I added
>> such a rule. It worked, so I saved the new iptables configuration.
>>
>
> "Add to the FORWARD table a rule that says accept any traffic entering on eth2 for the destination 172.16.0.0/24."
>
> Is that what you really want on a firewall? Remember that the input and forward tables on a firewall do different things. For a firewall you do much of your filtering on the forward table -- don't leave it wide open and trust the input filters on the firewall to handle things. Many packets just traversing the firewall will never see the input rules. Your NAT setup is probably the only thing protecting you right now.
>
> You said "allows traffic to get from my WAN" above. If eth2 is your WAN connection then please consider changing both of those forward rules to:
>
> -A FORWARD -i eth2 -d 172.16.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Matching the state means that only replies to things you've asked for will come back through the forward table. Right now it is wide open.
>
> This link says it is for 2.4 kernels, but it is still valid for 2.6 kernels:
>
> http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html
>
> James Zuelow
> Network Specialist
> City and Borough of Juneau MIS (907)586-0236

Oh, okay. I guess that is what I want. How will that affect port forwarding?

- --
 ________________________________
/ \
| Christopher Howard |
| http://indicium.us |
| http://theologia.indicium.us |
\________________________________/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkt9gzgACgkQQ5FLNdi0BcUAdQCgoT8OmVD+K71CjI/gQIhbMTpf
kmIAnidjqKYtXFXUQcQoFl70nxDUj94i
=rqI/
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Feb 18 09:12:48 2010