Secure and Manage Voyage Linux - Page 2
If you're running any services, or just want more control, you'll need to write your own iptables script. This example does not open any ports for public services, but it allows SSH sessions from inside the LAN to the firewall box, sets up NAT and IP masquerading, turns on IP forwarding, blocks incoming requests for initiating connections, allows your LAN hosts to initiate outgoing connections for Web surfing, email, and so forth, and permits important ICMP messages. Some admins think that blocking all ICMP messages is good security, but actually it's a bad networking practice. You need at least the ones specified in the script for networking to work correctly.
Run this script the same way as nat.sh- store it in /usr/local/sbin/, and bring it up or down with the WAN interface. Remember to make it executable, and make it owned only by root, and non-writable for extra insurance. After you have written it, of course:
SSH Through the Firewall
You should create an unprivileged user on your Voyage router for this- never ever accept root logins over untrusted networks. Then add an iptables rule like this:
$ipt -A INPUT -p tcp -i $WAN_IFACE --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
Be sure to configure your SSH access controls in /etc/ssh/sshd_config (see Resources). You can use iptables to be even more restrictive by specifying a source IP address:
$ipt -A INPUT -p tcp -i $WAN_IFACE -s 220.127.116.11 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
There are many ways to set up SSH for easy, secure remote logins. A nice option is to disable password logins entirely, and authenticate via encryption keys only. (See Resources to learn more.)
Never ever perform any kind of sensitive logins from public computers, or untrusted PCs of any kind. The most secure protocols on Earth cannot foil keystroke loggers.