| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by peterwwillis 4304 days ago

What risk? You don't need to harden your distro if you're only using it for NAT. There's basically nothing to attack, save maybe the netfilter conntrack module's state machine. Here's all you need for your edge NAT device:

  iptables -A INPUT -i ethwan -m conntrack --ctstate ESTABLISHED -j ACCEPT
  iptables -A INPUT -i ethwan -j DROP
  iptables -A OUTPUT -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o ethwan -j DROP
  iptables -A FORWARD -i ethwan -o eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i ethwan -o eth0 -j DROP
  iptables -A FORWARD -i eth0 -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i eth0 -o ethwan -j DROP
  iptables -t nat -A POSTROUTING -o ethwan -j MASQUERADE