The most important lines are:
It's that simple!
Of course, this is a pretty open config, and you'll need to beef up the security.
assuming eth0 is your internal (LAN) interface and eth2 you external (WAN) interface.
The INPUT DROP basically uses the DROP rule for all input to the firewall. This is an important distinction between INPUT and FORWARD.
INPUT is trafficwhich ultimate destination is the firewall itself (inlcudes traffic destined to another device e.g. apache server behind the firewall). FORWARD is for traffic that will pass though the traffic via the firewall.
Also if you do a lot of torrenting, you'll nee to increase the max connections in sysctl.conf
Otherwise 10 or so torrents will totally max out your firewall, and you won't be able to make outgoing connections anymore!
I won't go further into it, but there are more articles on this to get the best out of your firewall
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# SECTION THAT DEALS WITH NAT/MASQ
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADEIt's that simple!
Of course, this is a pretty open config, and you'll need to beef up the security.
assuming eth0 is your internal (LAN) interface and eth2 you external (WAN) interface.
The INPUT DROP basically uses the DROP rule for all input to the firewall. This is an important distinction between INPUT and FORWARD.
INPUT is trafficwhich ultimate destination is the firewall itself (inlcudes traffic destined to another device e.g. apache server behind the firewall). FORWARD is for traffic that will pass though the traffic via the firewall.
Also if you do a lot of torrenting, you'll nee to increase the max connections in sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 262144
Otherwise 10 or so torrents will totally max out your firewall, and you won't be able to make outgoing connections anymore!
I won't go further into it, but there are more articles on this to get the best out of your firewall
very simple indeed. linux rulez.
ReplyDelete