Is it insecure to use the following iptable rule for NAT?

Ryan asked:

I want to setup a VPN server for personal use, so I follow the blog article [1], and it work like a charm.

The only thing I am wondering is if the iptable’s rule secure, e.g.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And I have only one public interface eth0, are there any risk in using the rule above?

From other place, I see other alternatives of iptable rules, e.g.

1.

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

2.

iptables -A FORWARD -i ppp+ -o eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -o ppp+ -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

3.

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT 
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

So, is my original rule secure?

Thanks.

[1] http://blog.riobard.com/2011/11/12/pptp-vpn-on-ubuntu/

My answer:


You’re using PPTP, so it’s already insecure.

As for the masquerade rule, that’s required to implement NAT, and you wouldn’t be able to access public Internet addresses without it.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.