summaryrefslogtreecommitdiff
path: root/2005/iptables-firewall-heinlein2005/praxis1.txt
diff options
context:
space:
mode:
Diffstat (limited to '2005/iptables-firewall-heinlein2005/praxis1.txt')
-rw-r--r--2005/iptables-firewall-heinlein2005/praxis1.txt29
1 files changed, 29 insertions, 0 deletions
diff --git a/2005/iptables-firewall-heinlein2005/praxis1.txt b/2005/iptables-firewall-heinlein2005/praxis1.txt
new file mode 100644
index 0000000..cfc162c
--- /dev/null
+++ b/2005/iptables-firewall-heinlein2005/praxis1.txt
@@ -0,0 +1,29 @@
+Case 1: basic firewall, no DMZ, no NAT
+
+
+wlan0: internet uplink (10.0.0.x/24)
+eth1: internal network (192.168.111.x/24)
+
+Policy:
+- drop all incoming requests (except below), allow all outgoing ones.
+- Log the dropped packets via syslog
+- Take care of FTP
+- Anti-Spoofing Rules
+- Incoming connections to internal network allowed (stateful)
+ - ICMP echo request
+ - SSH to all internal hosts
+- Incoming connections to firewall:
+ - SSH to firewall
+- Incoming connections to server1 (192.168.111.4):
+ - One host "server1" accepts FTP, SMTP and HTTP
+
+
+Case 2: Add DMZ, NAT for internal net
+
+eth0: like above
+eth1: internal net (192.168.111.0/24)
+eth2: DMZ (10.2.2.1/24)
+
+Policy (like above, but):
+- server1 now lives in DMZ
+- internal network now SNAT'ed (to 10.1.1.2/24)
personal git repositories of Harald Welte. Your mileage may vary