Securing eth1 with IPTABLES
Akshay Lamba
alamba-KEM+DXFYpnDQT0dZR+AlfA at public.gmane.org
Tue Mar 23 15:46:00 UTC 2004
David have you looked into installing shorewall and using that to
configure iptables via webmin? Makes adding rules real simple.
Regards,
Akshay
-----Original Message-----
From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug at ss.org] On Behalf Of David
Kreuter
Sent: Tuesday, March 23, 2004 7:43 PM
To: tlug-lxSQFCZeNF4 at public.gmane.org
Subject: Re: [TLUG]: Securing eth1 with IPTABLES
I lifted these commands pretty much straight out of theRH9 Linux Bible
Chapter 16.
Entered by hand.
I'm trying to protect the linux machine which is on the 24.x.x.x network
and exposed.
I do not want any uninvited packets to do damage to my linux host. My
linux host is
acting as a router, replacing a windows machine that was providing the
same function.
The router linux machine has two networks, 24.x.x.x. and 192.168.1.0.
The 192. net has 5 - 6 machines on it including the linux host.
Thanks.
David
Madison Kelly wrote:
> See my notes within the quoted message:
>
> David Kreuter wrote:
>
>> Madison et al thank you for your help. Here is the output as
>> requested from
>> iptables-save:
>>
>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>> *filter
>> :INPUT ACCEPT [448733:27854874]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [447020:26108052]
>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>
> - Good, let's everything out (note that no more outbound rules will
> match because no packet will pass this rule.)
>
>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>
> - BAD! Here you say to let everything destined for your internal
> subnet in. You may as well have no firewall at this point. No other
> rules added after this will work because no inbound packets will go
> past this rule (they all match and are ACCEPTed.)
>
>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>
> - I can't think of a logical reason for this.
>
>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>
> - You repeated the first FORWARD rule
>
>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>
> - Duplicate of the second rule...
>
>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>
> - Again, unsure why this is here...
>
>> -A FORWARD -p tcp -j LOG --log-level 6
>
> - This rule will never be matched because any packet would have
> stoped traversing the FORWARD chain as soon as it hit one of the first
> two all-encompasing rules.
>
>> -A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
>
> - ditto. Put these BEFORE any rule would match.
>
>> COMMIT
>> # Completed on Mon Mar 22 19:46:40 2004
>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>> *nat
>> :PREROUTING ACCEPT [105414:5087474]
>> :POSTROUTING ACCEPT [6102:366228]
>> :OUTPUT ACCEPT [6288:377744]
>> -A POSTROUTING -o eth1 -j MASQUERADE
>> -A POSTROUTING -o eth1 -j MASQUERADE
>
> - Why twice?
>
>> COMMIT
>> # Completed on Mon Mar 22 19:46:40 2004
>
>
> If you are writting this out via a shell script, can you post it? Also
> recap what you want to do. I'll see if I can qhip up a script for you
> over lunch tomorrow at work.
>
> Madison
>
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list