Hello,

Would it make sense to any of you using IPTables, to use it behind a router
?

BTW, I'm on RH9 (KDE) with the setting 'No Firewall' for the IPTables
service.

In a manual I have (that's actually for RH8), it states NOT to use IPTables
behind a gateway/router, only on the gateway device itself. Would any of
you agree with this, or would using it just add more security, provided
it's set up correctly ?

On that last point, would modifications be necessary to the default IPTable
configuration to take into account the fact that it's not the first device
packets will encounter from the Internet ?

I'm aware that the NAT function of a router can protect a PC from
connections not already established from that PC, but would it also fudge
up IPTables ?

Full of questions, not many answers, as usual. Thanks for your time.

Interlude.

Interlude wrote:
> Hello,
>
> Would it make sense to any of you using IPTables, to use it behind a router
> ?
>
> BTW, I'm on RH9 (KDE) with the setting 'No Firewall' for the IPTables
> service.
>
> In a manual I have (that's actually for RH8), it states NOT to use IPTables
> behind a gateway/router, only on the gateway device itself. Would any of
> you agree with this, or would using it just add more security, provided
> it's set up correctly ?
>
> On that last point, would modifications be necessary to the default IPTable
> configuration to take into account the fact that it's not the first device
> packets will encounter from the Internet ?
>
> I'm aware that the NAT function of a router can protect a PC from
> connections not already established from that PC, but would it also fudge
> up IPTables ?
>
> Full of questions, not many answers, as usual. Thanks for your time.
>
> Interlude.

well,
there is no sense in stopping something twice so you will have to make a
list of what the router stops and a list of what iptables you set up
will stop.

I use Newriders.com Linux Firewalls 2nd edition. (red bunder) to set up
iptables. The 1st edition (purple binder) only covered ipchains.

As to what the router is doing, good luck. The elcheapos I have, I think
the store cash register receipt is larger than the documentation....

Steve

steve harris wrote:

> well,
> there is no sense in stopping something twice so you will have to make a
> list of what the router stops and a list of what iptables you set up
> will stop.
>
> I use Newriders.com Linux Firewalls 2nd edition. (red bunder) to set up
> iptables. The 1st edition (purple binder) only covered ipchains.
>
> As to what the router is doing, good luck. The elcheapos I have, I think
> the store cash register receipt is larger than the documentation....
>
> Steve

Thanks for the reply there Steve. I did a Google on that book and it looks
like just the kind of thing I need to read. Thanks for the reference.

I've got the 'standard-issue' Linksys BEFSR41 router/gateway. It does 'what
it says on the tin' so to speak, but I'd like to get more specific with
what's allowed in and out, so that book should help me do it.


Interlude.

Interlude wrote:
> steve harris wrote:
>
>
>>well,
>>there is no sense in stopping something twice so you will have to make a
>>list of what the router stops and a list of what iptables you set up
>>will stop.
>>
>>I use Newriders.com Linux Firewalls 2nd edition. (red bunder) to set up
>>iptables. The 1st edition (purple binder) only covered ipchains.
>>
>>As to what the router is doing, good luck. The elcheapos I have, I think
>>the store cash register receipt is larger than the documentation....
>>
>>Steve
>
>
> Thanks for the reply there Steve. I did a Google on that book and it looks
> like just the kind of thing I need to read. Thanks for the reference.
>
> I've got the 'standard-issue' Linksys BEFSR41 router/gateway. It does 'what
> it says on the tin' so to speak, but I'd like to get more specific with
> what's allowed in and out, so that book should help me do it.
>
>
> Interlude.

th ebook is full of examples covering just about any port to pass or
block, whether workstation or server.

What the Linksys is doing, you can go to scan.sygate.com and scan all
65k ports instead of the few common ones everyone else checks.
:)

If you need to...

Steve