From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sun, 25 Oct 2015 21:00:20 +0100
Subject: import of old now defunct presentation slides svn repo

---
 2005/iptables-firewall-heinlein2005/praxis1.txt | 29 +++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 2005/iptables-firewall-heinlein2005/praxis1.txt

(limited to '2005/iptables-firewall-heinlein2005/praxis1.txt')

diff --git a/2005/iptables-firewall-heinlein2005/praxis1.txt b/2005/iptables-firewall-heinlein2005/praxis1.txt
new file mode 100644
index 0000000..cfc162c
--- /dev/null
+++ b/2005/iptables-firewall-heinlein2005/praxis1.txt
@@ -0,0 +1,29 @@
+Case 1: basic firewall, no DMZ, no NAT
+
+
+wlan0: internet uplink (10.0.0.x/24)
+eth1: internal network (192.168.111.x/24)
+
+Policy:
+- drop all incoming requests (except below), allow all outgoing ones.
+- Log the dropped packets via syslog
+- Take care of FTP 
+- Anti-Spoofing Rules
+- Incoming connections to internal network allowed (stateful)
+	- ICMP echo request
+	- SSH to all internal hosts
+- Incoming connections to firewall:
+	- SSH to firewall
+- Incoming connections to server1 (192.168.111.4):
+	- One host "server1" accepts FTP, SMTP and HTTP
+
+
+Case 2: Add DMZ, NAT for internal net
+
+eth0: like above
+eth1: internal net (192.168.111.0/24)
+eth2: DMZ (10.2.2.1/24)
+
+Policy (like above, but):
+- server1 now lives in DMZ
+- internal network now SNAT'ed (to 10.1.1.2/24)
-- 
cgit v1.2.3