[Courses] Reading Raven's Mind, Part II -- IPtables on a Home Network

Raven, corporate courtesan raven at oneeyedcrow.net
Mon May 13 18:11:43 EST 2002 

Heya --

	Sorry I've been so hard to reach lately, y'all.  Between working
80 hour weeks, moving, and having server problems it has been a real
challenge for me to spend any non-work time online.

	So, let's take a different tack for the iptables example than we
did for ipchains.  A small home network, where you happen to host your
server and have several workstations.  Then once we've got the basics
hammered out, we'll start complicating it with NAT and such.  But for
the moment:

	You are a security-savvy geek with a DSL line and a small home
network.  Right now, you have six boxes at home, and you want to get a
firewall up before you connect them to your brand new shiny DSL.  Your
firewall box is a Linux 2.4.19 kernel, all relevant modules to iptables
added in when you installed.  Since your DSL provider is generous, you
have routable IPs for all of your boxes.  Your DSL provider gives you
the IPs for your firewall free of charge.

	Because your DSL provider runs bridged rather than switched (you
essentially share a DSL LAN with others in your area), you don't get
your own /28 or so.  You get addresses assigned out of their local /24.
You have been assigned the following:

1.1.1.1/24 -- your ISP's gateway machine, which you direct packets to to
get them to the Internet.

1.1.1.2 -- your firewall's external interface
1.1.1.3 -- your firewall's internal interface
1.1.1.4 -- your personal Web, mail, IMAP, and Icecast server
1.1.1.5 -- Linux workstation
1.1.1.6 -- OpenBSD laptop
1.1.1.7 -- Windows XP workstation
1.1.1.8 -- Windows 2000 workstation

	Pretty much the only people that use your home network are you
and your roommates, but the server's services need to be reachable to
you and your roommates from anywhere on the Net (with the exception of
IceCast).  The various laptops and workstations want to be able to run
AIM, Diablo, Gnutella, and ICQ, in addition to being able to browse the
web, get mail, etc.

	What sort of a firewall ruleset would you come up with to meet
these needs?  Anything else you need to know?

Cheers,
Raven

"You found the Amulet of Yendor!"

More information about the Courses mailing list