Firewall
Marc Wiriadisastra
strikeforce at iinet.net.au
Thu Aug 4 01:15:57 UTC 2005
On Wed, 2005-08-03 at 16:55 -0400, Frank Hale wrote:
> > Do you have to set up a firewall or is it set up automatically?
>
> Firestarter is a GUI that configures iptables, it's pretty easy to
> use. There is also fwbuilder but it looked a little more complex.
> Configuring a firewall correctly from my experience is not quite as
> easy on Linux as it is on Windows, especially with regards to writing
> iptables rules manually. Infact I absolutely loath messing with
> iptables rules, it's just a huge turn off considering the amount of
> complexity that it has.
>
With a more complete program you can do more. Ease of use doesn't
necessarily mean it will work well.
I'll post a snippet of my iptables script that i have on my fedora
server.
//////////////////////////
#!/bin/sh
service iptables stop
#echo "Modules loaded"
#modprobe ip_nat_ftp
#modprobe ip_nat_tftp
#modprobe ip_nat_irc
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ip_conntrack_tftp
#modprobe ip_conntrack_irc
echo "Flush Firewall"
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo "Implementing standard rules"
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "internal ranges accepted"
iptables -N INTERNAL
iptables -A INTERNAL -s 192.168.0.0/24 -j ACCEPT
iptables -A INTERNAL -j LOG --log-level 7
iptables -A INTERNAL -s 127.0.0.1 -j ACCEPT
echo "external ranges denied on local ip ranges"
iptables -N EXTERNAL
iptables -A EXTERNAL -s 10.0.0.0/8 -j DROP
iptables -A EXTERNAL -s 172.16.0.0/16 -j DROP
iptables -A EXTERNAL -s 192.168.0.0/16 -j DROP
iptables -A EXTERNAL -s 224.0.0.0/4 -j DROP
iptables -A EXTERNAL -s 127.0.0.1/8 -j DROP
iptables -A EXTERNAL -s 202.72.161.190 -j ACCEPT
echo "ports allowed through"
iptables -A EXTERNAL -p tcp --dport 6000 -m state --state NEW -j ACCEPT
iptables -A EXTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ssh on a different port"
iptables -A EXTERNAL -p tcp --dport 1577 -m state --state NEW -j ACCEPT
iptables -A EXTERNAL -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A EXTERNAL -p udp --dport 25 -m state --state NEW -j ACCEPT
echo "Web"
iptables -A EXTERNAL -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo "IRC"
iptables -A EXTERNAL -p tcp --dport 6667:6668 -m state --state NEW -j
ACCEPT
echo "Forwarding takes place"
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.104 --dport 65535 -j
ACCEPT
iptables -A FORWARD -p udp -i eth0 -d 192.168.0.104 --dport 65535 -j
ACCEPT
#iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.104 --dport 6883 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.254 --dport 5005 -j
ACCEPT
echo "Redirecting all the packets"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j INTERNAL
iptables -A INPUT -i ppp0 -j EXTERNAL
service iptables save
service iptables start
echo "done and loaded"
////////////////////////////
If you look at it closely it looks like English. All that is done is at
the very bottom renaming what is going on. e.g. ppp0 goes to the
EXTERNAL or rules. eth1 goes to internal and lo automatically jumps to
accept. Thats a basic script.
If you want it to be even more featured you start marking packets
leaving and make it qos based which is hard but once completed very very
helpful.
HTH
Marc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050804/e07595c4/attachment.sig>
More information about the ubuntu-users
mailing list