diff options
Diffstat (limited to '2005/iptables-firewall-heinlein2005/praxis1.txt')
-rw-r--r-- | 2005/iptables-firewall-heinlein2005/praxis1.txt | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/2005/iptables-firewall-heinlein2005/praxis1.txt b/2005/iptables-firewall-heinlein2005/praxis1.txt new file mode 100644 index 0000000..cfc162c --- /dev/null +++ b/2005/iptables-firewall-heinlein2005/praxis1.txt @@ -0,0 +1,29 @@ +Case 1: basic firewall, no DMZ, no NAT + + +wlan0: internet uplink (10.0.0.x/24) +eth1: internal network (192.168.111.x/24) + +Policy: +- drop all incoming requests (except below), allow all outgoing ones. +- Log the dropped packets via syslog +- Take care of FTP +- Anti-Spoofing Rules +- Incoming connections to internal network allowed (stateful) + - ICMP echo request + - SSH to all internal hosts +- Incoming connections to firewall: + - SSH to firewall +- Incoming connections to server1 (192.168.111.4): + - One host "server1" accepts FTP, SMTP and HTTP + + +Case 2: Add DMZ, NAT for internal net + +eth0: like above +eth1: internal net (192.168.111.0/24) +eth2: DMZ (10.2.2.1/24) + +Policy (like above, but): +- server1 now lives in DMZ +- internal network now SNAT'ed (to 10.1.1.2/24) |