You are not logged in.

#1 2013-01-20 21:05:59

eDio
Member
From: Ukraine, Kyiv
Registered: 2008-12-02
Posts: 422

LAN chain in iptables. Are there better approaches?

Hi all.
I'm a newbie in iptables and network security stuff. Would like to get an advice on a following problem.

I have a router with IP 192.168.1.1, my LAN contains bunch of wireless devices and desktop PC with a static IP *.2.

I want to enable certain services (ftp, sftp for local user, game servers, etc.) on my desktop PC to be accessible from any of my wireless devices.
Though, I don't want them to be accessible from the router, because I want to be safe just in case if router gets hacked (router has DDNS enabled and runs sshd for tunneling purposes).

It is not actually safety that bothers me a lot. I'm just trying to gain some understanding on topic, so I decided to make this particular setup.

I've read that Simple Stateful Firewall article on wiki and now I'm considering doing the following, but not sure, whether this is good approach:

# create chains
iptables -N LAN
iptables -N LAN_TCP
iptables -N LAN_UDP

# route all traffic from wireless devices to LAN chain
iptables -A INPUT -m iprange --src-range 192.168.1.3-192.168.1.255 -j LAN

# specific LAN chain rules
iptables -A LAN -p tcp --syn -m conntrack --ctstate NEW -j LAN_TCP
iptables -A LAN_TCP -p tcp --dport 22 -j ACCEPT

Is it worthwhile? Are there better approaches? I suspect, that if router gets hacked, hacker will be able to change its IP, so such rules won't work, will they?
Just thought, that perhaps restricting by routers mac would be a better approach. Though I've wrote a lot of text already... So, anyway, would like to get comments from forum members wink

Thanks in advance.

Offline

#2 2013-01-20 22:06:45

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: LAN chain in iptables. Are there better approaches?

That should work, although don't forget to DROP or REJECT by default:

iptables -P INPUT DROP

iptables / netfilter is very flexible and you can achieve any given task a number of ways. There are generally no "right" and "wrong" ways, just best practices here and there.

Offline

#3 2013-01-21 14:03:05

eDio
Member
From: Ukraine, Kyiv
Registered: 2008-12-02
Posts: 422

Re: LAN chain in iptables. Are there better approaches?

I've decided to filter by router's mac address.
Your reply suggested me correct query to search for info in google ("just best practices here and there") smile Thanks.

Offline

Board footer

Powered by FluxBB