On 06/28/2015 03:49 PM, Max Pyziur wrote:
From several sources, code, the stock CentOS iptables I've cobbled the following /etc/sysconfig/iptables; while it works, I suspect that there are holes: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0]
Some holes, yes. I'd recommend that your FORWARD table be similar to INPUT. It should DROP by default, and ACCEPT on traffic coming in the LAN interface and going out the WAN interface (and ESTABLISHED data). As it is now, a host on your WAN interface could use your system as its gateway, and you'd MASQ its traffic.
:FORWARD DROP [0:0] -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state NEW -i eth0 -o eth1 -j ACCEPT
Best practice is to apply both egress and ingress filters as well. You should only forward traffic to the WAN if the source address is one that you use on your LAN. You should only forward traffic to your LAN if the source is *not* an address you use in your LAN.
I think that looks like this in iptables, but I might be wrong...
:FORWARD DROP [0:0] -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s ! -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT -A FORWARD -m state --state NEW -i eth0 -o eth1 -s -j ACCEPT