Re: RFE: Connection Sharing

From: "Nicolas \"Ikke\" Trangez" <eikke eikke com>
To: Saikat Guha <saikat cs cornell edu>
Cc: networkmanager-list gnome org
Subject: Re: RFE: Connection Sharing
Date: Mon, 28 Aug 2006 00:51:51 +0200

> If ethX is internet-facing and ethY is to be NAT'ed, perhaps
> a rule at the very top of the iptables chain that whitelists all traffic
> initiated from someone on ethY being routed to ethX should do the trick.
> 
> iptables -I FORWARDING --in-interface ethY -j ACCEPT
> iptables -t nat -I POSTROUTING --out-interface ethX -j ACCEPT
Hmm.
> 
> There is probably something more clever that can be done with marking
> the packets and routing them through a separate table with greater
> security for the box running NM from hostiles on the internal (ethY)
> network.
> 
> (vaguely from memory)
> 
> ... --in-interface -j MARK 0x10
> ip ro add ...
> 
> If nothing else, we can likely make the assumption that if the user is
> requesting the device to NAT some internal network onto the internet, he
> trusts the internal network somewhat. The first two rules above with a
> warning might also be a good first stab.
I dont think you can just say 'the user will trust the internal network'. I think 
at least when starting network sharing, you should give a choice: open
up everything, or ask before allowing connections (MAC, or even better
hostname based, when possible to get this hostname. mdns might be
useful).
Might be usefull to only allow certain "safe" connections by default
too, like http/https, imap/imaps, ssh, ntp,... I dont think there's any
need to allow P2P and other applications by default.

Nicolas

Follow-Ups:
- Re: RFE: Connection Sharing
  - From: Saikat Guha

References:
- RFE: Connection Sharing
  - From: Saikat Guha
- Re: RFE: Connection Sharing
  - From: Nicolas "Ikke" Trangez
- Re: RFE: Connection Sharing
  - From: Saikat Guha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]