Re: RFE: Connection Sharing
- From: "Nicolas \"Ikke\" Trangez" <eikke eikke com>
- To: Saikat Guha <saikat cs cornell edu>
- Cc: networkmanager-list gnome org
- Subject: Re: RFE: Connection Sharing
- Date: Mon, 28 Aug 2006 00:51:51 +0200
> If ethX is internet-facing and ethY is to be NAT'ed, perhaps
> a rule at the very top of the iptables chain that whitelists all traffic
> initiated from someone on ethY being routed to ethX should do the trick.
>
> iptables -I FORWARDING --in-interface ethY -j ACCEPT
> iptables -t nat -I POSTROUTING --out-interface ethX -j ACCEPT
Hmm.
>
> There is probably something more clever that can be done with marking
> the packets and routing them through a separate table with greater
> security for the box running NM from hostiles on the internal (ethY)
> network.
>
> (vaguely from memory)
>
> ... --in-interface -j MARK 0x10
> ip ro add ...
>
> If nothing else, we can likely make the assumption that if the user is
> requesting the device to NAT some internal network onto the internet, he
> trusts the internal network somewhat. The first two rules above with a
> warning might also be a good first stab.
I dont think you can just say 'the user will trust the internal network'. I think
at least when starting network sharing, you should give a choice: open
up everything, or ask before allowing connections (MAC, or even better
hostname based, when possible to get this hostname. mdns might be
useful).
Might be usefull to only allow certain "safe" connections by default
too, like http/https, imap/imaps, ssh, ntp,... I dont think there's any
need to allow P2P and other applications by default.
Nicolas
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]