You are not logged in.
hey everybody.
so, i've been using Arch as a very basic server for my little ol' network for about 3 or 4 years now, and i can definitely say that it performs simply flawlessly. software-side i've yet to run into ANYthing that it couldn't do, it's never crashed, and it's solid as an effing rock. of course there's been the learning curve/speed bumps along the way, but of all the linux distros i've used this one seems to me to be the most logical and, frankly, simple one out there. In particular, the wiki you guys have is excellent; i've pretty much learned basic administration from it (along with a handful of other sites.) coming from a staunch Windows-only mindset several years ago, i would definitively label myself a convert
now, my server does basic networking & file services for my network. I use BIND for local & caching DNS, dhcpd for DHCP, and samba for file serving purposes (it's actually kinda sweet; I've got 3 1TB drives setup on software raid w/LVM for backup on all my systems \m/)
up until yesterday, my network still had a linksys wireless router as the gateway between the LAN and the modem/WAN. my mobo in my server happens to have 2 network jacks, so.... i figured i'd take a stab at seeing if i can convert the server into a router itself! thanks to y'alls wiki, i basically followed the instructions in this article (http://wiki.archlinux.org/index.php/Router) using iptables to manage routing & NAT.
so far, everything seems to be working fine; configuration of iptables, as far as i can tell, went over without a hitch, and immediately i was able to get internet access from all computers while still having local DNS/DHCP working. but, as i did just learn/do this yesterday, i figured i might turn to you guys just to possibly verify that my rules look ok and, most importantly, are setup as a safe, effective firewall.
below is the output of iptables -nvL. the open port 12345 is for bittorrent on my desktop. eth0 is my external port going to the modem, and eth1 goes to my switch for my LAN (static IP 172.16.0.1):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
192 20655 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6977 523K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
774 152K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
99382 52M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
494 17639 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
35957 12M OPEN-UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
713 36874 OPEN-TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
35957 12M REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
713 36874 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19108 989K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 TCPMSS clamp to PMTU
6862K 3121M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
99987 11M fw-interfaces all -- * * 0.0.0.0/0 0.0.0.0/0
60454 7203K fw-open all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 73035 packets, 6255K bytes)
pkts bytes target prot opt in out source destination
Chain OPEN-TCP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345
Chain OPEN-UDP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:12345
Chain fw-interfaces (1 references)
pkts bytes target prot opt in out source destination
39533 3737K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain fw-open (1 references)
pkts bytes target prot opt in out source destination
8224 453K ACCEPT tcp -- * * 0.0.0.0/0 172.16.0.10 tcp dpt:12345
52230 6750K ACCEPT udp -- * * 0.0.0.0/0 172.16.0.10 udp dpt:12345
anything you guys see should be changed? thanks in advance for those who take the time to read/reply!
Offline
for more security, for the WAN interface for which you do not expect any inbound traffic, you should create a rule for allowing RELATED and ESTABLISHED traffic, and drop all other traffic, also, it is better to use interface names for all rules (personal preference, but explicit is always better than implicit), also, do not use reject, simply use DROP as reject takes extra CPU cycles and network traffic since a reply is sent.
Offline