15 Feb
2009
15 Feb
'09
9:03 a.m.
/sbin/rmmod ipchains
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -Z -t filter
/sbin/iptables -X -t filter
/sbin/iptables -F -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -X -t nat
/sbin/iptables -P INPUT ACCEPT
^ Here you give permission to anyone to connect to any listening port
in your router box. Not the safest thing in the world.
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
^ So you trust your internal network completely, nice place!
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# drop spoof packets
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
ACCEPT default policies are too permissive and it is easy to miss a
gap. If you are really concerned about security a better start is to
slam shut everything with a DROP policy in every chain and then open
up a few select holes.
L