Setting up a Linux Firewall
20 years 1 month ago #2977
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Setting up a Linux Firewall
*pulls out a shotgun*.. who said something about recompiling the kernel ? You're making fun of me aren't you ! Fancy having the audacity to do that while the mortal remains of my RH9 box are still on my hard disk (R.I.P)... recompiling to 2.6 was problematic.. just about everyone had some problems.. I lost my box in the process and I've resigned myself to waiting for some distro to come out based on 2.6
As far as IPtables is concerned.. Mr.Partsenidis is our resident expert on the subject.. I just emailed him yesterday on how to setup some NAT using it.. however I'm ploughing my way through and I've built a couple of test configurations at home that work beautifully. Its incredibly simple once you get the hang of its syntax.
As far as running other services on the firewall is concerned.. Chris is 100% right.. you'd setup your default DROP rules in IPtables so nothing can even reach those services.. I still wouldn't have them running simply because I like each server to be strictly role based (you'll never see an SQL server on my DC).. also you'll reap performance benefits if you shut down unneeded services.. free up some RAM and CPU time.. which may be needed if the firewall has lots of rules and traffic to handle...
Chris, if you're keen on it we can write the iptables tutorial together.. I have a couple of neat tricks up my sleeve as well.
Oh yeah and even I write them all in shell scripts.. define variables such as INTERNAL_INTERFACE, EXTERNAL_INTERFACE, INTERNAL_NET, EXTERNAL_NET, HTTP_SERVERS etc at the start of the script, and then use those variables later on in the script.. that way say you have to add another web server.. you dont have to modify every single rule.. you just change it in the HTTP_SERVERS variable at the start.
Ok that may not have made sense.. we'll get working on that document
Btw will someone explain why I see IPtables documents online that use targets like REJECT and DENY ?? I have the latest version and it only gives me ACCEPT and DROP... there is no REJECT target
As far as IPtables is concerned.. Mr.Partsenidis is our resident expert on the subject.. I just emailed him yesterday on how to setup some NAT using it.. however I'm ploughing my way through and I've built a couple of test configurations at home that work beautifully. Its incredibly simple once you get the hang of its syntax.
As far as running other services on the firewall is concerned.. Chris is 100% right.. you'd setup your default DROP rules in IPtables so nothing can even reach those services.. I still wouldn't have them running simply because I like each server to be strictly role based (you'll never see an SQL server on my DC).. also you'll reap performance benefits if you shut down unneeded services.. free up some RAM and CPU time.. which may be needed if the firewall has lots of rules and traffic to handle...
Chris, if you're keen on it we can write the iptables tutorial together.. I have a couple of neat tricks up my sleeve as well.
Oh yeah and even I write them all in shell scripts.. define variables such as INTERNAL_INTERFACE, EXTERNAL_INTERFACE, INTERNAL_NET, EXTERNAL_NET, HTTP_SERVERS etc at the start of the script, and then use those variables later on in the script.. that way say you have to add another web server.. you dont have to modify every single rule.. you just change it in the HTTP_SERVERS variable at the start.
Ok that may not have made sense.. we'll get working on that document
Btw will someone explain why I see IPtables documents online that use targets like REJECT and DENY ?? I have the latest version and it only gives me ACCEPT and DROP... there is no REJECT target
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 1 month ago #2979
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Setting up a Linux Firewall
Sahir, your in on the IPTables tutorial! I'll take you up on that offer!
Concerning the Reject and Deny statements, they were used in IPChains, and as you correctly pointed out, the DROP statement is now used in IPTables.
When it comes to configuring IPTables, I've never really got use to the idea of using variables in the script, though I must admit, it can make your life incredibly easier, but as you know, I always try to make my life harder:)
As such, I only use the common commands available by IPTables, so if you take a look at one of my scripts they contain nothing but the parameters IPtables can use. I save them into a file and then call that file in rc.local - so that it is executed upon startup.
Of course, I am not saying the above is the best way to write your script as it can become very difficult for someone who hasnt read it before to understand what's happening - but I sometimes preffer it that way
Whichever the case, all I want to point out is that - IPTables rock- !
Cheers,
Concerning the Reject and Deny statements, they were used in IPChains, and as you correctly pointed out, the DROP statement is now used in IPTables.
When it comes to configuring IPTables, I've never really got use to the idea of using variables in the script, though I must admit, it can make your life incredibly easier, but as you know, I always try to make my life harder:)
As such, I only use the common commands available by IPTables, so if you take a look at one of my scripts they contain nothing but the parameters IPtables can use. I save them into a file and then call that file in rc.local - so that it is executed upon startup.
Of course, I am not saying the above is the best way to write your script as it can become very difficult for someone who hasnt read it before to understand what's happening - but I sometimes preffer it that way
Whichever the case, all I want to point out is that - IPTables rock- !
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.154 seconds