SoHo - IPtables configuration example

1. We disable access via SSH port 22 from outer world and hide SSH under custom port number 13577 on the outer interface. The custom port is redirected via PREROUTING/DNAT to standard port 22 on an internal interface. Second ethernet should not beused for that as we can shutdown o reconfigure it in future. Loopback cannot be used as the kernel disabled access to loopback for packets from non-loopback interfaces for security purposes (and considers them martians<. We trick kernel by creating a loopback alias above. Another solution would be to create such alias on the primary ethernet, but I not tried that yet. Accessing port 22 with outer address still for clients from within the server, while accessing 13577 does not work for them. I have not investigated this in detail, but it seems internal clients are always routed via loopback.

2. OpenVPN< is accepted on a non-standard port (e.g. 13578)and only on the outer interface.

3. The lines srcip=10.20.1.1/dports(80,443,8000,8080)=MASQUERADE;other=REJECT accept from the windows host to outer world only the ports specified so that domain browsing and other specific protocols are locked inside kiosk.

4. The OFL chain is an experimental one. It was intended to improve the X-Lite behaviour, yet not reached.