Ip tables and NAT

[Alan McKinnon]

On Saturday, 25 February 2006 08:06, Peter Garrett wrote:
> On Sat, 25 Feb 2006 02:51:47 +0100
>
> Christian Eichert <moga at mx.homelinux.org> wrote:
> > > Just wondering, what application is usually used to configure
> > > iptables to secure a Ubuntu box?
> >
> > NONE
> > it is not necesary for you to configure iptables.
>
> Must be nice to be so sure of your ground :-)
> Personally, since I only need ssh access from a few IPs, I prefer
> not to have my ssh port flapping in the breeze. I therefore use
> firestarter to leave it open only for the trusted IPs.

Better accomplished with tcp wrappers IMHO. Doesn't have the hassles 
that go with understanding an iptables script. And you get the 
benefit of a super-daemon

> If I was running ftp as a server, I would probably want to do the
> same for that as well (I don't run ftp).

Easiest way to close port 20 & 21 is to not run an ftp server. Easiest 
way to open access to ftp for specified users is in the ftp server 
config. And chroot the ftp server

> Blanket statements of this kind make me scratch my head.

It would have been better worded as "it is not necessary for you to 
configure iptables on a personal workstation"

> Another useful
> iptables feature is NAT, which is also trivial to set up with
> firestarter.

Rule #1: NAT is not firewalling. I'll repeat that: NAT is not 
firewalling. NAT on the local machine is nonsensical. NAT is by 
definition a gateway function. Unless you are doing edge cases like 
NATing to several virtual machines on the local box, in which case 
you probably know enough about packet filtering to write your own 
script

I've seen many valid iptables setups running on gateways and routers. 
I've never yet seen such a thing on a workstation, regardless of what 
the user believes. Every case has been much work for no additional 
*real* benefit. Which raises the question: why do it at all then?


-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five