Sorry I've been so hard to reach lately, y'all. Between working 80 hour weeks, moving, and having server problems it has been a real challenge for me to spend any non-work time online.
So, let's take a different tack for the iptables example than we did for ipchains. A small home network, where you happen to host your server and have several workstations. Then once we've got the basics hammered out, we'll start complicating it with NAT and such. But for the moment:
You are a security-savvy geek with a DSL line and a small home network. Right now, you have six boxes at home, and you want to get a firewall up before you connect them to your brand new shiny DSL. Your firewall box is a Linux 2.4.19 kernel, all relevant modules to iptables added in when you installed. Since your DSL provider is generous, you have routable IPs for all of your boxes. Your DSL provider gives you the IPs for your firewall free of charge.
Because your DSL provider runs bridged rather than switched (you essentially share a DSL LAN with others in your area), you don't get your own /28 or so. (We're using CIDR notation here.) You get addresses assigned out of their local /24. You have been assigned the following:
1.1.1.1/24 -- your ISP's gateway machine, which you direct packets to to get them to the Internet.
1.1.1.2 -- your firewall's external interface
1.1.1.3 -- your firewall's internal interface
1.1.1.4 -- your personal Web, mail, IMAP, and Icecast server
1.1.1.5 -- Linux workstation
1.1.1.6 -- OpenBSD laptop
1.1.1.7 -- Windows XP workstation
1.1.1.8 -- Windows 2000 workstation
Pretty much the only people that use your home network are you and your roommates, but the server's services need to be reachable to you and your roommates from anywhere on the Net (with the exception of IceCast). The various laptops and workstations want to be able to run AIM, Diablo, Gnutella, and ICQ, in addition to being able to browse the web, get mail, etc.
What sort of a firewall ruleset would you come up with to meet these needs? Anything else you need to know?
Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).