[ale] IPtables question, OOPS File Attached

Chris Fowler cfowler at outpostsentinel.com
Mon Jul 12 09:05:42 EDT 2004


On Sun, 2004-07-11 at 22:33, Dow Hurst wrote:
> Chris Fowler wrote:
> 
> >I just added a 3rd nic to my linux firewall.  On that nic I hav it
> >directly connected via cross-over to a server that is running an
> >application.  I did this because my customers will be using that
> >application from the Internet.  If for some reason someone was to gain 
> >access to that box I do not want them to be able to come back to the
> >firewall and jump over to the 2nd nic to my company network.  
> >
> >What would be a good rule that would allow all incoming traffic from
> >the outside and 2nd nic to that box but would disallow any traffic
> >originating from that machine?
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> >  
> >
> To solve this effectively, you can try using Bob's iptables rules in his 
> book (2nd ed.) and adapt a second set of variables for the 3rd 
> interface.  Diagram what you want to go where in map and work your way 
> thru his ruleset to make sure nothing violates the allowed pathways.  I 
> didn't have a 3rd interface so could just test out the ruleset as is.  I 
> only had to tweak one rule to allow incoming SSH connections to any IP 
> in the internal LAN and add one rule to allow access from what I called 
> the DMZ to a license server on the internal LAN.  His egress and 
> loopback rules really make sense once you've worked thru them.  It is 
> also a tested set of rules that you won't have to build yourself.
> Dow
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: masq
Type: text/x-sh
Size: 4815 bytes
Desc: not available




More information about the Ale mailing list