Skip to main content

Setting up a Linux Firewall

More
20 years 8 months ago #2962 by Chris
Nubs,

I can't agree with you that a firewall is useless if your running services with holes e.t.c simply because with IPTables, and just like every other serious firewall package, you can deny access to specific services/ports - blocking all connections to these specified ports and services.

You suggestion about installing and compiling the kernel for IPTables support is excellent and one which will seriously consider for the topic!!!

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
20 years 8 months ago #2968 by Cheetah
Hi

WoW a firewall.cx doku on ipTables. Chris, I expect that cool unique lovely diagrams a lot in this too.

I am becoming too impatient to read it.

I totally agree with Chris, every time you read thru an ipTables doku, you find all new ways & ideas.

Regards
Cheetah

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 8 months ago #2977 by sahirh
*pulls out a shotgun*.. who said something about recompiling the kernel ? You're making fun of me aren't you ! Fancy having the audacity to do that while the mortal remains of my RH9 box are still on my hard disk (R.I.P)... recompiling to 2.6 was problematic.. just about everyone had some problems.. I lost my box in the process and I've resigned myself to waiting for some distro to come out based on 2.6

As far as IPtables is concerned.. Mr.Partsenidis is our resident expert on the subject.. I just emailed him yesterday on how to setup some NAT using it.. however I'm ploughing my way through and I've built a couple of test configurations at home that work beautifully. Its incredibly simple once you get the hang of its syntax.

As far as running other services on the firewall is concerned.. Chris is 100% right.. you'd setup your default DROP rules in IPtables so nothing can even reach those services.. I still wouldn't have them running simply because I like each server to be strictly role based (you'll never see an SQL server on my DC).. also you'll reap performance benefits if you shut down unneeded services.. free up some RAM and CPU time.. which may be needed if the firewall has lots of rules and traffic to handle...

Chris, if you're keen on it we can write the iptables tutorial together.. I have a couple of neat tricks up my sleeve as well.

Oh yeah and even I write them all in shell scripts.. define variables such as INTERNAL_INTERFACE, EXTERNAL_INTERFACE, INTERNAL_NET, EXTERNAL_NET, HTTP_SERVERS etc at the start of the script, and then use those variables later on in the script.. that way say you have to add another web server.. you dont have to modify every single rule.. you just change it in the HTTP_SERVERS variable at the start.

Ok that may not have made sense.. we'll get working on that document :)

Btw will someone explain why I see IPtables documents online that use targets like REJECT and DENY ?? I have the latest version and it only gives me ACCEPT and DROP... there is no REJECT target

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 8 months ago #2979 by Chris
Sahir, your in on the IPTables tutorial! I'll take you up on that offer!

Concerning the Reject and Deny statements, they were used in IPChains, and as you correctly pointed out, the DROP statement is now used in IPTables.

When it comes to configuring IPTables, I've never really got use to the idea of using variables in the script, though I must admit, it can make your life incredibly easier, but as you know, I always try to make my life harder:)

As such, I only use the common commands available by IPTables, so if you take a look at one of my scripts they contain nothing but the parameters IPtables can use. I save them into a file and then call that file in rc.local - so that it is executed upon startup.

Of course, I am not saying the above is the best way to write your script as it can become very difficult for someone who hasnt read it before to understand what's happening - but I sometimes preffer it that way :wink:


Whichever the case, all I want to point out is that - IPTables rock- !

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
20 years 8 months ago #2980 by sahirh
DROP just drops silently right ? whereeas REJECT used to send back an ICMP message right ??

Another way to make your rules start on startup is to type all the rules and then run
iptables-save > /etc/sysconfig/iptables

then reboot and see if your rules got applied by running

iptables -L

This works on a Redhat 9 box and a Mandrake 9.1 box for those interested.

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 8 months ago #2983 by Neon
Yep that’s right sahirh, my history with using IPChains then IPTables a DROP is a stealthed port and a REJECT is a closed port :)

hum iptables for windows anyone ? :wink:
Time to create page: 0.136 seconds