As there is a neighbor thread about password and authentication (http://www.raspberrypi.org/forums/viewt ... 22#p733622), I think there should also be a thread about firewall rules.
Any suggestion is great. Thanks for posting them~
I'm using Pi as the gateway to Internet:
LAN => Pi => PPPoE => ISP
I'm not defending a nuclear attack, just don't want public see my secret directory.
I read a HOWTO on IP Masq: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
and check its example firewall rule set at section 6.4
The rule I learned is that, in English: Except for ICMP, I would listen to nobody unless I talked first.
So I wrote an iptables rule set like this:
Code: Select all
#!/bin/bash
IPTABLES="/sbin/iptables"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# pppd auto-generated line clone
$IPTABLES -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A INPUT '!' -i "$PPP_IFACE" -j ACCEPT
$IPTABLES -A FORWARD '!' -i "$PPP_IFACE" -j ACCEPT
$IPTABLES -A INPUT -i "$PPP_IFACE" -p icmp -j ACCEPT
$IPTABLES -A INPUT -i "$PPP_IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i "$PPP_IFACE" -p icmp -j ACCEPT
$IPTABLES -A FORWARD -i "$PPP_IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o "$PPP_IFACE" -j MASQUERADE
As this is the first iptables rule set I've ever wrote, do I missed something important?
Again, any suggestion is great, thanks for posting them!
