it's a start
|
| Author | Content |
|---|---|
| tuxchick Mar 04, 2008 9:32 AM EDT |
I wish the sample script had been more complete; it left out iptables modules. iptables is a complex beast, but not beyond the ken of ordinary mortals. It just takes a bit of study and practice. It's Red Hat and Fedora and their extended family that use 'service iptables save', and I don't recommend using that anyway. Unless you're some kind of xTreme iptables guru, it's easier and safer to write your rules in a script from the start, instead of entering them on the command line, because it's easier to see and edit them in a script. My own preference is to use a universal iptables script, instead of the various distribution-specific tools that make iptables "easier." To me they just gum up the works without being helpful. This is an example of an Internet-connection sharing iptables firewall for a Linux-based broadband gateway/router with a dynamic WAN address. It accepts necessary ICMP messages (never block ping!), allows unrestricted outbound traffic, and allows only established sessions inbound. #!/bin/sh ##/usr/local/bin/fw_nat #iptables firewall script for sharing #broadband Internet, with no public services #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="eth0" WAN_IFACE="eth1" #basic set of kernel modules $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE #add these for IRC and FTP $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #Enable IP masquerading $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state \ ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT # Accept important ICMP messages $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT #Reject connection attempts not initiated from inside the LAN $ipt -A INPUT -p tcp --syn -j DROP I like to use /etc/sysctl.conf to control kernel parameters, though that's just a matter of preference. They could go in your iptables script instead: net.ipv4.ip_forward = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.accept_source_route = 0 |
| gus3 Mar 04, 2008 9:52 AM EDT |
@tc: And when you finished hacking that script together, you baked 400 cookies and replaced an engine block, with time left over to balance your checkbook. Right? |
| tuxchick Mar 04, 2008 10:14 AM EDT |
gus3, I baked those cookies on the engine block. Idling at 833 RPMs kept it at a perfect 350 degrees. |
| Steven_Rosenber Mar 04, 2008 10:45 AM EDT |
Try the intake manifold for more even heating. |
| techiem2 Mar 04, 2008 10:48 AM EDT |
My boss seems to like pure iptables and editing the tables (redhat servers usually). I'm a Shorewall fan myself. |
| tuxchick Mar 04, 2008 2:33 PM EDT |
I thought the intake manfold was for making nice grill marks. Shorewall is great, though I don't think it's very much easier than raw nekked iptables. |
| herzeleid Mar 04, 2008 3:02 PM EDT |
I have used my own iptables script for years - it somewhat resembles the example from tc, but with odd appendages added over the years. I recently discovered I could import my active firewall rules into the standard webmin firewall module, and use that. No other tool I've found has been able to import my config and run with it, so webmin gets extra points. I've looked at shorewall and it just seemed to be just another new configuration syntax to learn, and really didn't offer a compelling reason to change. |
| tuxtom Mar 04, 2008 4:12 PM EDT |
Quoting:I've looked at shorewall and it just seemed to be just another new configuration syntax to learn, and really didn't offer a compelling reason to change.That was my observation after giving it a whirl. Just as easy to create an "rc.firewall" script per example. Also, there is a lot to be said for know how secure you system is without iptables. If you have a bunch of unnecessary services running on open ports you really need to be looking at those first. Most distros load up a bunch of stuff you might not want or need. I've learned to run sshd on an obscure port and permanently drop route anyone who attempts to connect to 22. Also set up the need to authenticate via a perl cgi-script to add a hosts.allow entry to get myself in on the obscure port. Works like a charm. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!