summaryrefslogtreecommitdiff
path: root/2005/iptables-firewall-heinlein2005/praxis1.txt
blob: cfc162c873050c4aa4a4bc67e24ca635c5a6ed39 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Case 1: basic firewall, no DMZ, no NAT


wlan0: internet uplink (10.0.0.x/24)
eth1: internal network (192.168.111.x/24)

Policy:
- drop all incoming requests (except below), allow all outgoing ones.
- Log the dropped packets via syslog
- Take care of FTP 
- Anti-Spoofing Rules
- Incoming connections to internal network allowed (stateful)
	- ICMP echo request
	- SSH to all internal hosts
- Incoming connections to firewall:
	- SSH to firewall
- Incoming connections to server1 (192.168.111.4):
	- One host "server1" accepts FTP, SMTP and HTTP


Case 2: Add DMZ, NAT for internal net

eth0: like above
eth1: internal net (192.168.111.0/24)
eth2: DMZ (10.2.2.1/24)

Policy (like above, but):
- server1 now lives in DMZ
- internal network now SNAT'ed (to 10.1.1.2/24)
personal git repositories of Harald Welte. Your mileage may vary