I'm a newbie in iptables and network security stuff. Would like to get an advice on a following problem.
I have a router with IP 192.168.1.1, my LAN contains bunch of wireless devices and desktop PC with a static IP *.2.
I want to enable certain services (ftp, sftp for local user, game servers, etc.) on my desktop PC to be accessible from any of my wireless devices.
Though, I don't want them to be accessible from the router, because I want to be safe just in case if router gets hacked (router has DDNS enabled and runs sshd for tunneling purposes).
It is not actually safety that bothers me a lot. I'm just trying to gain some understanding on topic, so I decided to make this particular setup.
I've read that Simple Stateful Firewall article on wiki and now I'm considering doing the following, but not sure, whether this is good approach:
# create chains iptables -N LAN iptables -N LAN_TCP iptables -N LAN_UDP # route all traffic from wireless devices to LAN chain iptables -A INPUT -m iprange --src-range 192.168.1.3-192.168.1.255 -j LAN # specific LAN chain rules iptables -A LAN -p tcp --syn -m conntrack --ctstate NEW -j LAN_TCP iptables -A LAN_TCP -p tcp --dport 22 -j ACCEPT
Is it worthwhile? Are there better approaches? I suspect, that if router gets hacked, hacker will be able to change its IP, so such rules won't work, will they?
Just thought, that perhaps restricting by routers mac would be a better approach. Though I've wrote a lot of text already... So, anyway, would like to get comments from forum members
Thanks in advance.
That should work, although don't forget to DROP or REJECT by default:
iptables -P INPUT DROP
iptables / netfilter is very flexible and you can achieve any given task a number of ways. There are generally no "right" and "wrong" ways, just best practices here and there.
I've decided to filter by router's mac address.
Your reply suggested me correct query to search for info in google ("just best practices here and there") Thanks.