Re: firewalling behind NAT?

["Thomas O'Dowd" <tom@example.com>]

Hi Scott,

The following is the default RH7.1 ipchain rules that it set up for me
on install.

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

I've been playing the iptables though and its lots of fun :) If you wouldn't
mind sending me your iptables script that would be great.

Back to the other question though, is there any reason that I would need
a firewall behind NAT (apart from the geek factor)? And if so, how does it
work, ie how do they come through NAT from the outside to attack my machine?

Tom.

On Mon, May 21, 2001 at 11:07:59AM -0700, Scott Stone wrote:
> 
> yes, default drop and then add in things to accept is, in my view, the
> Correct Way to Do Things.  I can send you an iptables script to do that.
> 
> If you're running 7.1 and using ipchains, especially if that's the default
> redhat way of doing things, someone at RH needs to be bonked on the head
> repeatedly... with 2.4, you use iptables... no real reason not to.
> 
> -----------------------------------------------------
> Scott M. Stone <sstone@example.com>
> Senior Technical Consultant - UNIX and Networking
> Taos, the Sysadmin Company - Santa Clara, CA
> 
> 
> -----Original Message-----
> From: Thomas O'Dowd [mailto:tom@example.com]
> Sent: Monday, May 21, 2001 8:17 AM
> To: tlug group
> Subject: firewalling behind NAT?
> 
> 
> Hi,
> 
> Quick question, do you need to use a firewall if you are behind a NAT
> router? Ie, my machine has a non-routable ip address and the gateway
> is a separate box (in this case, an ADSL router) on the LAN. I filter all
> open ports on the router to only accept incoming connections to the router
> on the internal interface. Quick port scan from the outside confirmed this.
> Since I'm not really filtering anything else right now, can a cracker
> somehow find away through my router to a NAT'd machine on the inside? I
> don't think so, but I could be wrong?
> 
> Also, just installed RH7.1 and think it is kinda wierd that they start
> with ipchain policies of accept and add explicit things to drop rather
> than a policy of drop and the other way round, which is probably the
> way that I would do it.
> 
> Cheers,
> 
> Tom.
> -- 
> Thomas O'Dowd. - Nooping - http://nooper.com
> tom@example.com - Testing - http://nooper.co.jp/labs
> 
> -----------------------------------------------------------------------
> Next Technical Meeting:  Sat, May 12 13:30- 
> Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
> -----------------------------------------------------------------------
> more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan
> 
> -----------------------------------------------------------------------
> Next Technical Meeting:  Sat, May 12 13:30- 
> Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
> -----------------------------------------------------------------------
> more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan
> 

-- 
Thomas O'Dowd. - Nooping - http://nooper.com
tom@example.com - Testing - http://nooper.co.jp/labs