[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Re: Iptables

To: "'shef-lug@xxxxxxxxxxxxxxxxxxx '" <shef-lug [at] xxxxxxxxxxxxxxxxxxx>
Subject: [Sheflug] Re: Iptables
From: "Dawson, Alan" <xxxxx [at] xxxxxxxxxxxxxxxxxx>
Date: Sat, 4 May 2002 21:49:36 +0100
Envelope-to: <shef-lug [at] list.sheflug.org.uk>
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

>
>
>    Baz> iptables -A FORWARD -i eth0 -o ppp0 -p tcp \
>    Baz>          -s 192.168.1.1/24 -d mail.mailserver.co.uk \
>    Baz>         --dport 110 -m state --state NEW,RELATED,ESTABLISHED \
>    Baz>          -j ACCEPT
>
>It's just occurred to me:

>Watch out for allowing new connections (--state NEW or --syn) if you
>haven't specified both in- and out- interfaces.
>Might be worth checking with nmap and/or telnet $pop_num.
>
>Do have a suitable policy or other rules further up the chain to block
>new connections from -i ppp0 or -s 0.0.0.0/0 ?
>

As a follower of this thread with interest I wonder if you could clarify
this last point...

As Richard is using a private non routable address range for his internal
LAN - 192.168.1.0/24 - I imagine it is possible to produce packets with
source 192.168.1.x and fire them them at his external ip - whatever ppp0 has
bound to it - from the internet, but as i understand the situation
impossible to gain a reply to them, as his machines would not route their
reply's back to the attacker.  

More simply put does his use of private ip range and masquerading not
protect him ..?

Alan Dawson  
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Re: Iptables
  - From: Alex Hudson
- [Sheflug] Re: Iptables
  - From: xxxxx
- [Sheflug] Re: Iptables
  - From: xxxxx

Prev by Date: [Sheflug] Re: Iptables
Next by Date: Re: [Sheflug] Re: Iptables
Previous by thread: [Sheflug] Re: Iptables
Next by thread: Re: [Sheflug] Re: Iptables
Index(es):
- Date
- Thread