Ip tables and NAT

Mike Bird mgb-ubuntu at yosemite.net
Sat Feb 25 18:47:43 UTC 2006 

On Sat, 2006-02-25 at 09:51, Alan McKinnon wrote:
> On Saturday, 25 February 2006 08:06, Peter Garrett wrote:
> > On Sat, 25 Feb 2006 02:51:47 +0100
> >
> > Christian Eichert <moga at mx.homelinux.org> wrote:
> > > > Just wondering, what application is usually used to configure
> > > > iptables to secure a Ubuntu box?

Emacs and vi are more flexible but firestarter is more usual.

> > > NONE
> > > it is not necesary for you to configure iptables.
> >
> > Must be nice to be so sure of your ground :-)
> > Personally, since I only need ssh access from a few IPs, I prefer
> > not to have my ssh port flapping in the breeze. I therefore use
> > firestarter to leave it open only for the trusted IPs.
> 
> Better accomplished with tcp wrappers IMHO. Doesn't have the hassles 
> that go with understanding an iptables script. And you get the 
> benefit of a super-daemon

Xinetd (or inetd) and TCP wrappers are much less able to
withstand DOS attacks unless iptables is deployed for
front line defence.  Also iptables provides protections
that Xinetd and TCP wrappers cannot, and to services which
are not compatible with super-daemons.

> > Blanket statements of this kind make me scratch my head.
> 
> It would have been better worded as "it is not necessary for you to 
> configure iptables on a personal workstation"

Iptables can prevent port scanning.  It can prevent unwanted
outbound connections and block access to backdoors.  People
sometimes do silly things without realizing that they're
starting a server.  Linux is no less susceptible to Trojan
attacks than is Windoze.

> > Another useful
> > iptables feature is NAT, which is also trivial to set up with
> > firestarter.
> 
> Rule #1: NAT is not firewalling. I'll repeat that: NAT is not 
> firewalling. NAT on the local machine is nonsensical. NAT is by 
> definition a gateway function. Unless you are doing edge cases like 
> NATing to several virtual machines on the local box, in which case 
> you probably know enough about packet filtering to write your own 
> script

It's hard to imagine a situation where NAT would be needed on
a workstation.  Nevertheless, NAT is a very effective form of
firewalling on a gateway.

> I've seen many valid iptables setups running on gateways and routers. 
> I've never yet seen such a thing on a workstation, regardless of what 
> the user believes. Every case has been much work for no additional 
> *real* benefit. Which raises the question: why do it at all then?

When using a VPN, iptables may be desirable to prevent leaks
between the secure connection and the local network.

Workstations are sometimes Samba servers.  Indeed, some
workstations have full LAMP stacks for initial testing.
Or they may be running prototype software with unproven
security.

It's best if a workstation is behind a separate firewall, but
the gal in a bamboo hut in the third world developing the next
great free app may not be able to afford one.

--Mike Bird

More information about the ubuntu-users mailing list