Reading Raven's Mind, Part II -- IPtables on a Home Network
Sorry I've been so hard to reach lately, y'all. Between working
80 hour weeks, moving, and having server problems it has been a real
challenge for me to spend any non-work time online.
So, let's take a different tack for the iptables example than we
did for ipchains. A small home network, where you happen to host your
server and have several workstations. Then once we've got the basics
hammered out, we'll start complicating it with NAT and such. But for
You are a security-savvy geek with a DSL line and a small home
network. Right now, you have six boxes at home, and you want to get a
firewall up before you connect them to your brand new shiny DSL. Your
firewall box is a Linux 2.4.19 kernel, all relevant modules to iptables
added in when you installed. Since your DSL provider is generous, you
have routable IPs for all of your boxes. Your DSL provider gives you
the IPs for your firewall free of charge.
Because your DSL provider runs bridged rather than switched (you
essentially share a DSL LAN with others in your area), you don't get
your own /28 or so. (We're using CIDR
notation here.) You get addresses assigned out of their local /24.
You have been assigned the following:
184.108.40.206/24 -- your ISP's gateway machine, which you direct packets to to
get them to the Internet.
220.127.116.11 -- your firewall's external interface
18.104.22.168 -- your firewall's internal interface
22.214.171.124 -- your personal Web, mail, IMAP, and Icecast server
126.96.36.199 -- Linux workstation
188.8.131.52 -- OpenBSD laptop
184.108.40.206 -- Windows XP workstation
220.127.116.11 -- Windows 2000 workstation
Pretty much the only people that use your home network are you
and your roommates, but the server's services need to be reachable to
you and your roommates from anywhere on the Net (with the exception of
IceCast). The various laptops and workstations want to be able to run
AIM, Diablo, Gnutella, and ICQ, in addition to being able to browse the
web, get mail, etc.
What sort of a firewall ruleset would you come up with to meet
these needs? Anything else you need to know?
Copyright (c) 2002 by Raven Alder. This material
may be distributed only subject to the terms and
conditions set forth in the Open Publication License,
v1.0 or later (the latest version is presently
available at http://www.opencontent.org/openpub/).