Securing eth1 with IPTABLES
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Tue Mar 23 17:55:38 UTC 2004
Eh, I won't be one to comment on other docs, what do I know? I can point
you to my talk though which has a sample firewall and some info on
setting up firewalls and how they work. Others have pointed out bugs so
it isn't perfect but I think it is good enough to help you get a
firewall doing what you want. Here's the PDF and SXW copies:
http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.pdf
http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.sxw
Hope that helps.
Madison
David Kreuter wrote:
> I lifted these commands pretty much straight out of theRH9 Linux Bible
> Chapter 16.
> Entered by hand.
> I'm trying to protect the linux machine which is on the 24.x.x.x network
> and exposed.
> I do not want any uninvited packets to do damage to my linux host. My
> linux host is
> acting as a router, replacing a windows machine that was providing the
> same function.
> The router linux machine has two networks, 24.x.x.x. and 192.168.1.0.
> The 192. net has 5 - 6 machines on it including the linux host.
> Thanks.
> David
>
> Madison Kelly wrote:
>
>> See my notes within the quoted message:
>>
>> David Kreuter wrote:
>>
>>> Madison et al thank you for your help. Here is the output as
>>> requested from
>>> iptables-save:
>>>
>>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>>> *filter
>>> :INPUT ACCEPT [448733:27854874]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [447020:26108052]
>>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>> - Good, let's everything out (note that no more outbound rules will
>> match because no packet will pass this rule.)
>>
>>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>> - BAD! Here you say to let everything destined for your internal
>> subnet in. You may as well have no firewall at this point. No other
>> rules added after this will work because no inbound packets will go
>> past this rule (they all match and are ACCEPTed.)
>>
>>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>>
>>
>> - I can't think of a logical reason for this.
>>
>>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>> - You repeated the first FORWARD rule
>>
>>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>> - Duplicate of the second rule...
>>
>>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>>
>>
>> - Again, unsure why this is here...
>>
>>> -A FORWARD -p tcp -j LOG --log-level 6
>>
>>
>> - This rule will never be matched because any packet would have
>> stoped traversing the FORWARD chain as soon as it hit one of the first
>> two all-encompasing rules.
>>
>>> -A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
>>
>>
>> - ditto. Put these BEFORE any rule would match.
>>
>>> COMMIT
>>> # Completed on Mon Mar 22 19:46:40 2004
>>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>>> *nat
>>> :PREROUTING ACCEPT [105414:5087474]
>>> :POSTROUTING ACCEPT [6102:366228]
>>> :OUTPUT ACCEPT [6288:377744]
>>> -A POSTROUTING -o eth1 -j MASQUERADE
>>> -A POSTROUTING -o eth1 -j MASQUERADE
>>
>>
>> - Why twice?
>>
>>> COMMIT
>>> # Completed on Mon Mar 22 19:46:40 2004
>>
>>
>>
>> If you are writting this out via a shell script, can you post it? Also
>> recap what you want to do. I'll see if I can qhip up a script for you
>> over lunch tomorrow at work.
>>
>> Madison
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list