> /sbin/rmmod ipchains
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/iptables -F -t filter
> /sbin/iptables -Z -t filter
> /sbin/iptables -X -t filter
> /sbin/iptables -F -t nat
> /sbin/iptables -Z -t nat
> /sbin/iptables -X -t nat
> /sbin/iptables -P INPUT ACCEPT
^ Here you give permission to anyone to connect to any listening port
in your router box. Not the safest thing in the world.
> /sbin/iptables -P FORWARD ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
^ So you trust your internal network completely, nice place!
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> # enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> # drop spoof packets
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
ACCEPT default policies are too permissive and it is easy to miss a
gap. If you are really concerned about security a better start is to
slam shut everything with a DROP policy in every chain and then open
up a few select holes.
L
_______________________________________________
Linux-audio-dev mailing list
Linux-audio-dev@email-addr-hidden
http://lists.linuxaudio.org/mailman/listinfo/linux-audio-dev
Received on Sun Feb 15 16:15:06 2009
This archive was generated by hypermail 2.1.8 : Sun Feb 15 2009 - 16:15:06 EET