RedHat 7.2 firewall/router vulnerabilities

Can anyone tell me what the following lines do in RedHat Linux 7.2 (kernel
2.4.7-10)?

modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward

What vulnerabilities exist with this as the configuration for a
firewall/router?

Hi,

"Marty Ross" <noodnik2@hotmail.com> wrote:

> Can anyone tell me what the following lines do in RedHat Linux 7.2 (kernel
> 2.4.7-10)?
>
> modprobe iptable_nat

The above module is required for the following masquerade rule to work. It
loads new functionality into the kernel that will provide the NAT facility.

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The above line provides NAT for a network. In this instance, the internet
is reached by eth0, and all traffic is NAT's to the IP of that interface.
This simply allows you to put in another ethernet card, connect it to your
network, and then use it as the internet gateway for your other machines.
Note that any internal machines should use non-routable addresses such as
192.168.0.1 etc.

> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

The above rules drop any invalid traffic, ie, packets that are not part of
an existing connection. It also drops any incoming connection packets. It
is simply a basic firewall that will allow local machines to connect to the
net, but will not allow the net to connect to the firewall or any local
machnes.

> echo 1 > /proc/sys/net/ipv4/ip_forward
>

The above line allows linux to act as a router. Without it, no-one would be
able to use it as a gateway to connect to the net.

> What vulnerabilities exist with this as the configuration for a
> firewall/router?
>

It's not to stop a specific vulnerability, it is just a very basic firewall
to prevent people on the internet connecting directly to your network.

--

Martin

Thank you. Martin.

I'm trying to figure out what vulnerabilities this setup is at risk for.
For instance, bugs in the Linux kernel (and/or the "iptables" module?),
denial of service attacks, exploitation or spoofing of open connections,
etc.

Is this a popular setup? Are there any known issues with "iptables" ability
to manage "open" connections (and prevent any from being "opened" from the
outside, even though a service may be listening on the box)?

Basically, I just want to see what improvement could/should be made to this
setup. E.g., given that it appeared to meet your needs, would you feel
comfortable with this setup, or would you change it?


"Martin Cooper" <usenet@martinc.me.uk> wrote in message
news:gemini.3f51d008008773e7%usenet@martinc.me.uk. ..
> Hi,
>
> "Marty Ross" <noodnik2@hotmail.com> wrote:
>
> > Can anyone tell me what the following lines do in RedHat Linux 7.2
(kernel
> > 2.4.7-10)?
> >
> > modprobe iptable_nat
>
> The above module is required for the following masquerade rule to work.
It
> loads new functionality into the kernel that will provide the NAT
facility.
>
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> The above line provides NAT for a network. In this instance, the internet
> is reached by eth0, and all traffic is NAT's to the IP of that interface.
> This simply allows you to put in another ethernet card, connect it to your
> network, and then use it as the internet gateway for your other machines.
> Note that any internal machines should use non-routable addresses such as
> 192.168.0.1 etc.
>
> > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
> > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
>
> The above rules drop any invalid traffic, ie, packets that are not part of
> an existing connection. It also drops any incoming connection packets. It
> is simply a basic firewall that will allow local machines to connect to
the
> net, but will not allow the net to connect to the firewall or any local
> machnes.
>
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
>
> The above line allows linux to act as a router. Without it, no-one would
be
> able to use it as a gateway to connect to the net.
>
> > What vulnerabilities exist with this as the configuration for a
> > firewall/router?
> >
>
> It's not to stop a specific vulnerability, it is just a very basic
firewall
> to prevent people on the internet connecting directly to your network.
>
> --
>
> Martin