[PLUG] Firewall Suggestions?
AthlonRob
athlonrobnf at cs.com
Sat Jun 22 05:45:52 UTC 2002
>Unfortunately, since I have always done my firewalls by hand, I don't know
>how good any of the firewall programs are. I have heard some good things
>about bastille, but have no first hand knowledge. One little warning,
>from the configuration programs/scripts I have seen in the past, I think
>in most cases, you really need to take the time to understand firewalls to
>use these scripts safely and effectively, otherwise most of them will
>allow you to configure a firewall which is wide open.
Well, I've spent the day dinkin' around with this derned thing. I must
say... I'm getting a little bit scared. A few things have actually made
sense! =O
I'm using the script from the IPMasq Howto document... 'Hard Firewall' ...
I've been able to modify it so I can open ports at will, but cannot close
them without running the whole script again. To open the ports, I just run:
iptables -A INPUT -i eth1 -p tcp --dport <port> -j ACCEPT
...but had to disable logging (removed all references to drop-and-log-it)...
so am not totally sure what that does to me security-wise. Just testing
from the laptop it seemed to have no effect but to disable logging.
I cut out all the useless comments in the interests of bandwidth saving. I
appreciate all the links people have provided... but after looking through
them all, I think doing it myself is better, at least for me. :-)
What do you guys think? Will it be relatively secure from people logged on
to the server opening up servers to the Internet? I'm still looking in to
how I might log any attack attempts, if I ever see any... if it's impossible
to do with what I have here, please hollar. <g> (the drop-and-log-it
things have all been commented out. If I uncomment them, I get logging but
cannot open ports manually after the scrtipt has been run)
IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/usr/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="eth1"
INTIF="eth0"
EXTIP="192.168.4.1"
INTNET="192.168.1.0/24"
INTIP="192.168.1.2/24"
UNIVERSE="0.0.0.0/0"
$DEPMOD -a
$INSMOD ip_tables
$INSMOD ip_conntrack
$INSMOD ip_conntrack_ftp
$INSMOD ip_conntrack_irc
$INSMOD iptable_nat
$INSMOD ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#$IPTABLES -F drop-and-log-it
$IPTABLES -X
$IPTABLES -Z
#$IPTABLES -N drop-and-log-it
#$IPTABLES -A drop-and-log-it -j LOG --log-level info
#$IPTABLES -A drop-and-log-it -j DROP
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
#$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
Any input from y'all would be appreciated. :-)
--
Rob
Running Slackware 8.1
More information about the PLUG
mailing list