Firewall configuration for Fedora 16

Andrei Dimitrief-Jianu andrei.dimitrief.jianu-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sat Jun 2 18:45:14 UTC 2012 

@William

Definitely a good idea to break the LOG rule into two (and to log the local
traffic as well)... the log files revealed the ports that need to be
opened.

DROP LOCAL IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=127.0.0.1 DST=127.0.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=60569 DF
PROTO=UDP SPT=50260 DPT=53 LEN=45
DROP LOCAL IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=7439 DF PROTO=TCP SPT=35069 DPT=631 WINDOW=32792 RES=0x00 SYN
URGP=0 OPT (0204400C0402080AFFFC83160000000001030307)
DROP LOCAL IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
TTL=64 ID=35891 DF PROTO=TCP SPT=55455 DPT=4713 WINDOW=32792 RES=0x00 SYN
URGP=0 OPT (0204400C0402080AFFFC24AD0000000001030307)

The default policy for the chains is set to DROP, so I had to let the
packets through:

$IPTABLES -A INPUT -i lo -p udp --dport 53 -s 127.0.0.1 -d 127.0.0.1 -j
ACCEPT
$IPTABLES -A INPUT -i lo -p tcp --dport 631 --syn -m state --state NEW -s
127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -i lo -p tcp --dport 4713 --syn -m state --state NEW -s
127.0.0.1 -d 127.0.0.1 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p tcp --dport 631 --syn -m state --state NEW -s
127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p tcp --dport 4713 --syn -m state --state NEW -s
127.0.0.1 -d 127.0.0.1 -j ACCEPT

The login was local, and in order to be as restrictive as possible I allow
only packets from 127.0.0.1.

@Lennart, @Neil, @Ben

I will look into using shorewall and cfengine as well. However, I prefer
the raw tools.

Thanks!



On Fri, Jun 1, 2012 at 8:12 PM, Ben Walton <bdwalton-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:

> > With a little work I was even able to manage Shorewall with Cfengine
> > including check live rules.
>
> I build my files dynamically based on lookups from dyndns services and
> then distribute the results with cfengine.  This lets clients roam
> around and have the access to various systems open up for them by
> simply updating a dynamic registration.  It's pretty slick.
>
> Thanks
> -Ben
> --
>
> ---------------------------------------------------------------------------------------------------------------------------
> Ben Walton <bdwalton-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
>
> Take the risk of thinking for yourself.  Much more happiness,
> truth, beauty and wisdom will come to you that way.
>
> -Christopher Hitchens
>
> ---------------------------------------------------------------------------------------------------------------------------
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20120602/066242b3/attachment.html>

More information about the Legacy mailing list