[LAD] [ot] - NEED some security advise PLEASE! + new question

[Kjetil S. Matheussen]

Fons Adriaensen:
>
>> ... And if it's a public server,
>> I'd rather not have anybody logging in through ssh who is not capable 
>of
>> dealing with key logins. I disabled password logins through ssh on
>> my public machines.
>
>That seems to be the best way to deal with it.
>
>A weakly related OT question:
>
>I need to set up a machine as a router. One side is
>a fixed public IP address, the other side is a local
>net using 192.168.1.x. I want to give internet access
>to the machines on the local net, so this requires
>(AFAIK) NAT. Anyone has a pointer to a good tutorial
>about how to do this ?

I once put the lines belo into an init file to do this.
I don't know what happens, I just copied from a post
found on the internet, one like this. :-)

In case there is a security problem with this method,
someone will hopefully write a comment about it. I think
eth0 is connected to the world, and eth1 is
connected to the local network, but it could
have been the other way too.


/sbin/rmmod ipchains
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -Z -t filter
/sbin/iptables -X -t filter
/sbin/iptables -F -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -X -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# drop spoof packets
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter