iptables security question

Hi *!

I have the following setup. Please tell me if I have some security
issues here.

A linux box with two ethernet interfaces to work as a masquerading
router. One of them (eth0) is connected to a dsl-modem, the other is a
wlan card (eth1). All client systems get this box a default gateway
via dhcp.

My goal is to drop everything coming from the wlan by default. I do
this with:

# iptables -t nat -P PREROUTING DROP

I want the all www-requests of the client systems to be redirected to
the local Apache on the box. I do this with:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 - REDIRECT

As I need DNS for these www-requests I have to let DNS be accepted:

# iptables -t nat -A PREROUTING -p udp --dport 53 -i eth1 -j ACCEPT

Then, in the POSTROUTING chain I need all the packets that made it
here to be masqueraded:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If I want to allow a specific wlan client to get outside connections I
use:

# iptables -t nat -I PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
-i the1 -j ACCEPT

to let him through.

Beside of MAC-spoofing, is this setup safe? Can someone get though the
PREROUTING chain, without being "MAC-inserted".

What can I do to block incoming connection attempts? I only want to
allow ssh from outside (internet) to the box.

Any help would be appreciated!

THX,
Andreas Westendörpf

--
If my mom could cook like Cartman's mom, I would become a big fatass, too. [Aus Southpark]

On Tue, 01 Jun 2004 21:06:20 +0200
Andreas Westendoerpf <(E-Mail Removed)> wrote:

#Default Policy DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Add stateful inspection

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED, -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allways allow traffic on lo

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ssh from outside

iptables -A INPUT -i eth0 -p tcp --dport 22 --syn -j ACCEPT

# Allow DNS-Requests to the Outside

iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j ACCEPT

# Redirect http-traffic to localhost, you got a proxy running there?
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -A INPUT -i eth1 -p tcp --dport 80 --syn -j ACCEPT

# If a proxy is running
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --syn -j ACCEPT

# Enable traffic for certain clients
iptables -A FORWARD -i eth1 -o eth0 -m mac --mac-source XX:XX:XX:XX:XX:XX:XX:XX -j ACCEPT



Beware, the mac-address can be forged.

Greets
Chris