[PLUG] Firewall Suggestions?

AthlonRob athlonrobnf at cs.com
Sat Jun 22 05:45:52 UTC 2002 

>Unfortunately, since I have always done my firewalls by hand, I don't know
>how good any of the firewall programs are.  I have heard some good things
>about bastille, but have no first hand knowledge.  One little warning,
>from the configuration programs/scripts I have seen in the past, I think
>in most cases, you really need to take the time to understand firewalls to
>use these scripts safely and effectively, otherwise most of them will
>allow you to configure a firewall which is wide open.

Well, I've spent the day dinkin' around with this derned thing.  I must
say... I'm getting a little bit scared.  A few things have actually made
sense!  =O

I'm using the script from the IPMasq Howto document... 'Hard Firewall' ...
I've been able to modify it so I can open ports at will, but cannot close
them without running the whole script again.  To open the ports, I just run:

iptables -A INPUT -i eth1 -p tcp --dport <port> -j ACCEPT

...but had to disable logging (removed all references to drop-and-log-it)...
so am not totally sure what that does to me security-wise.  Just testing
from the laptop it seemed to have no effect but to disable logging.

I cut out all the useless comments in the interests of bandwidth saving.  I
appreciate all the links people have provided... but after looking through
them all, I think doing it myself is better, at least for me.  :-)

What do you guys think?  Will it be relatively secure from people logged on
to the server opening up servers to the Internet?  I'm still looking in to
how I might log any attack attempts, if I ever see any... if it's impossible
to do with what I have here, please hollar.  <g>  (the drop-and-log-it
things have all been commented out.  If I uncomment them, I get logging but
cannot open ports manually after the scrtipt has been run)

IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/usr/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="eth1"
INTIF="eth0"
EXTIP="192.168.4.1"
INTNET="192.168.1.0/24"
INTIP="192.168.1.2/24"
UNIVERSE="0.0.0.0/0"
$DEPMOD -a
$INSMOD ip_tables
$INSMOD ip_conntrack
$INSMOD ip_conntrack_ftp
$INSMOD ip_conntrack_irc
$INSMOD iptable_nat
$INSMOD ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#$IPTABLES -F drop-and-log-it
$IPTABLES -X
$IPTABLES -Z
#$IPTABLES -N drop-and-log-it
#$IPTABLES -A drop-and-log-it -j LOG --log-level info
#$IPTABLES -A drop-and-log-it -j DROP
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
#$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


Any input from y'all would be appreciated.  :-)

--
Rob
Running Slackware 8.1

More information about the PLUG mailing list