Eu tenho uma rede doméstica e uma máquina Ubuntu atuando como uma ponte. A rede doméstica tem o intervalo de IP 192.168.1.x. A interface eth0 da máquina ponte conectada à Internet. eth1 e wlan2 conectados à rede doméstica.
Eu tenho o seguinte conjunto de regras de iptable:
*filter
:INPUT DROP [8215:416305]
-I INPUT -p tcp --dport 53 -j ACCEPT
-I INPUT -p udp --dport 53 -j ACCEPT
:FORWARD DROP [7:840]
:OUTPUT ACCEPT [491625:112606364]
-A INPUT -i wlan2 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -m state --state INVALID,NEW -j DROP
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 10.176.128.1 -j REJECT
-A FORWARD -i wlan2 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [321559:236814105]
:INPUT ACCEPT [295343:232451823]
:FORWARD ACCEPT [27130:5384293]
:OUTPUT ACCEPT [491625:112606364]
:POSTROUTING ACCEPT [522195:118153702]
COMMIT
Infelizmente, a saída de iptables -L mostra o seguinte:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID,NEW
ACCEPT all -- 127.0.0.1 127.0.0.1
REJECT all -- 127.0.0.1 10.176.128.1 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Eu não entendo porque vejo
ACCEPT all -- anywhere anywhere
e por que minha rede interna pode sofrer ataques do DOS pela Internet.
Alguma sugestão?